Cloudformation and json file to create cloudtrail monitoring in AWS ElasticSearchService
This repository is part of a series which aims to create security monitoring in an AWS account with AWS 'native' solutions.
The cloudformation template in this repo will deploy a cloudwatch loggroup subscription, firehose stream, bucket and two iam roles with policies. It will not create an elasticsearch domain. I assume you will be using a central one for monitoring and have already created it.
The lambda uses code from the vpc visualizer but only the ingestor. To use it you can zip the index.js into a file and upload it to the specified bucket.
zip ingestor.zip index.js aws s3api put-object --key lambdafunctions/ingestor.zip --body ingestor.zip --bucket mycodebucket
To get the visualizations and dashboard you can import the export I made in the management section of your elastic search domain.