Cloudformation and json file to create cloudtrail monitoring in AWS ElasticSearchService
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs
LICENSE
README.md
cloudformation.yaml
elk.json
index.js

README.md

aws-cloudtrailtoelk

Cloudformation and json file to create cloudtrail monitoring in AWS ElasticSearchService

Series

This repository is part of a series which aims to create security monitoring in an AWS account with AWS 'native' solutions.

Setup

The cloudformation template in this repo will deploy a cloudwatch loggroup subscription, firehose stream, bucket and two iam roles with policies. It will not create an elasticsearch domain. I assume you will be using a central one for monitoring and have already created it.

The structure (flow) of the application is still the same: infra

Lambda

The lambda uses code from the vpc visualizer but only the ingestor. To use it you can zip the index.js into a file and upload it to the specified bucket.

Example:

zip ingestor.zip index.js
aws s3api put-object --key lambdafunctions/ingestor.zip --body ingestor.zip --bucket mycodebucket

Dashboard

Dashboard The dashboard will show a quick overview of cloudtrail. Regions used, services used the entities that are active and two line graphs showing authorized and unauthorize/denied API calls.

To get the visualizations and dashboard you can import the export I made in the management section of your elastic search domain.