(addon): OpenSearch SIEM added CW Alarms (#1056)

* added CW Alarms

* fix typo

Co-authored-by: Brian969 <56414362+Brian969@users.noreply.github.com>

Author: rjjaegeraws

reference-artifacts/Add-ons/opensiem/README.md

@@ -543,3 +543,17 @@ The following AWS resources are retained when deleting the solution:
 2. In the operations account
    1. navigate to S3, open the S3 bucket prefixed with **opensearchsiemstack-**, and delete all the objects inside
    1. navigate to CloudFormation and delete the **OpenSearchSiemStack** stack
+
+
+## 11. Updates
+
+### September 2022
+- Updated the CDK version to v2.40.0
+- Updated the OpenSearch cluster with the latest version 1.3 (will cause a Blue/Green Deployment)
+- Updated the OpenSearch cluster to use GP3 for the EBS volume type (will cause a Blue/Green Deployment)
+- Added 14 CloudWatch Alarms to monitor the OpenSearch cluster based on the recommendations [here](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cloudwatch-alarms.html)
+- Reduced the Lambda Processor memory to 512MB and changed timeout to 2 minutes
+- Added a SNS queue to send alerts to registered emails. 
+- New configurations:
+  - "alertNotificationEmails": ["user@email.com"]  CloudWatch Alarm will send notifications to emails listed here
+  - "enableLambdaInsights": true Will enable CloudWatch Lambda Insights. This brings visibility into memory usage to have data to fine tune the Processor Lambda.

reference-artifacts/Add-ons/opensiem/SiemConfig.json

@@ -54,5 +54,7 @@
     "s3NotificationTopicNameOrExistingArn": "----- REPLACE -----",
     "enableLambdaSubscription": false,
     "organizationId": "----- REPLACE -----",
+    "enableLambdaInsights": false,
+    "alertNotificationEmails": [""],
     "siemVersion": "v2.6.1a"
 }

reference-artifacts/Add-ons/opensiem/lib/open-search.ts

@@ -98,7 +98,7 @@ export class OpenSearchDomain extends Construct {
     });
 
     this.resource = new opensearch.CfnDomain(this, 'Domain', {
-      engineVersion: 'OpenSearch_1.1',
+      engineVersion: 'OpenSearch_1.3',
       domainName,
       clusterConfig: {
         dedicatedMasterEnabled: true,
@@ -117,7 +117,7 @@ export class OpenSearchDomain extends Construct {
       ebsOptions: {
         ebsEnabled: true,
         volumeSize,
-        volumeType: 'gp2',
+        volumeType: 'gp3',
       },
       advancedSecurityOptions: {
         internalUserDatabaseEnabled: false,

reference-artifacts/Add-ons/opensiem/lib/opensearch-siem-stack.ts

@@ -23,12 +23,14 @@ import { SnsEventSource } from 'aws-cdk-lib/aws-lambda-event-sources';
 import * as events from 'aws-cdk-lib/aws-events';
 import * as eventTargets from 'aws-cdk-lib/aws-events-targets';
 import * as sns from 'aws-cdk-lib/aws-sns';
+import * as snsSubscriptions from 'aws-cdk-lib/aws-sns-subscriptions';
 import * as sqs from 'aws-cdk-lib/aws-sqs';
 import * as cognito from './siem-cognito';
 import { SiemConfig } from './siem-config';
 import * as opensearch from './open-search';
 import { OpenSearchSiemConfigure } from './siem-configure';
 import { OpenSearchSiemGeoIpInit } from './siem-geoip-download';
+import { Alerts } from './siem-alerts';
 
 export interface OpenSearchSiemStackProps extends StackProps {
   provisionServiceLinkedRole?: boolean;
@@ -251,14 +253,15 @@ export class OpenSearchSiemStack extends Stack {
       siemConfig.s3LogBuckets,
       siemConfig.siemVersion,
       siemConfig.enableLambdaSubscription,
+      siemConfig.enableLambdaInsights,
       siemConfig.s3NotificationTopicNameOrExistingArn,
       siemBucket,
     );
 
-    this.configureSnsAlerts(this, kmsEncryptionKey);
+    this.configureSnsAlerts(this, kmsEncryptionKey, domain.name, siemConfig.alertNotificationEmails);
   }
 
-  configureSnsAlerts(scope: Construct, kmsKey: kms.Key) {
+  configureSnsAlerts(scope: Construct, kmsKey: kms.Key, clusterDomainName: string, alertEmails: string[]) {
     const snsAlertRole = new iam.Role(scope, 'SnsAlertRole', {
       roleName: 'opensearch-siem-sns-role',
       assumedBy: new iam.ServicePrincipal('es.amazonaws.com'),
@@ -270,7 +273,18 @@ export class OpenSearchSiemStack extends Stack {
       masterKey: kmsKey,
     });
 
+    if (alertEmails && alertEmails.length > 0) {
+      for (const email of alertEmails) {
+        snsAlertTopic.addSubscription(new snsSubscriptions.EmailSubscription(email));
+      }
+    }
+
     snsAlertTopic.grantPublish(snsAlertRole);
+
+    new Alerts(scope, 'opensearch-siem-alerts', {
+      alertTopic: snsAlertTopic,
+      clusterDomainName,
+    });
   }
 
   configureSiemProcessor(
@@ -284,6 +298,7 @@ export class OpenSearchSiemStack extends Stack {
     s3LogBuckets: string[],
     siemVersion: string,
     enableTopicSubscription: boolean,
+    enableLambdaInsights: boolean,
     s3NotificationTopicNameOrExistingArn: string,
     geoIpUploadBucket?: s3.Bucket,
   ) {
@@ -294,9 +309,9 @@ export class OpenSearchSiemStack extends Stack {
       code: lambda.Code.fromAsset('lambdas/siem-processor/os-loader.zip'),
       role: lambdaRole,
       handler: 'index.lambda_handler',
-      timeout: Duration.seconds(900),
+      timeout: Duration.minutes(2),
       vpc,
-      memorySize: 2048,
+      memorySize: 512,
       vpcSubnets: {
         subnetFilters: [ec2.SubnetFilter.byIds(domainSubnetIds)],
       },
@@ -310,6 +325,7 @@ export class OpenSearchSiemStack extends Stack {
         GEOIP_BUCKET: geoIpUploadBucket?.bucketName || '',
         SIEM_VERSION: siemVersion,
       },
+      insightsVersion: enableLambdaInsights ? lambda.LambdaInsightsVersion.VERSION_1_0_135_0 : undefined,
     });
 
     for (const logBucket of s3LogBuckets) {