(enhancement): Add GuardDuty Kubernetes Protection

reference-artifacts/Add-ons/opensiem/README.md

@@ -543,3 +543,17 @@ The following AWS resources are retained when deleting the solution:
 2. In the operations account
    1. navigate to S3, open the S3 bucket prefixed with **opensearchsiemstack-**, and delete all the objects inside
    1. navigate to CloudFormation and delete the **OpenSearchSiemStack** stack
+
+
+## 11. Updates
+
+### September 2022
+- Updated the CDK version to v2.40.0
+- Updated the OpenSearch cluster with the latest version 1.3 (will cause a Blue/Green Deployment)
+- Updated the OpenSearch cluster to use GP3 for the EBS volume type (will cause a Blue/Green Deployment)
+- Added 14 CloudWatch Alarms to monitor the OpenSearch cluster based on the recommendations [here](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cloudwatch-alarms.html)
+- Reduced the Lambda Processor memory to 512MB and changed timeout to 2 minutes
+- Added a SNS queue to send alerts to registered emails. 
+- New configurations:
+  - "alertNotificationEmails": ["user@email.com"]  CloudWatch Alarm will send notifications to emails listed here
+  - "enableLambdaInsights": true Will enable CloudWatch Lambda Insights. This brings visibility into memory usage to have data to fine tune the Processor Lambda.

reference-artifacts/Add-ons/opensiem/SiemConfig.json

@@ -54,5 +54,7 @@
     "s3NotificationTopicNameOrExistingArn": "----- REPLACE -----",
     "enableLambdaSubscription": false,
     "organizationId": "----- REPLACE -----",
+    "enableLambdaInsights": false,
+    "alertNotificationEmails": [""],
     "siemVersion": "v2.6.1a"
 }

reference-artifacts/Add-ons/opensiem/lambdas/common/src/backoff.ts

@@ -20,8 +20,24 @@ export function throttlingBackOff<T>(
   request: () => Promise<T>,
   options?: Partial<Omit<IBackOffOptions, 'retry'>>,
 ): Promise<T> {
+  const defaultDelay = 500;
+  let maxDelayValue = 2000;
+
+  if (process.env.BACKOFF_START_DELAY) {
+    const backoffStartDelay = parseInt(process.env.BACKOFF_START_DELAY, 10);
+    if (Number.isInteger(backoffStartDelay)) {
+      maxDelayValue = backoffStartDelay;
+    }
+  }
+
+  // Add jitter to the starting delay
+  const startingDelay = Math.random() * (maxDelayValue - defaultDelay + 1) + defaultDelay;
+
+  console.log(`throttlingBackOff delay set to ${startingDelay}`);
+
   return backOff(request, {
-    startingDelay: 500,
+    startingDelay,
+    delayFirstAttempt: true,
     jitter: 'full',
     retry: isThrottlingError,
     ...options,
@@ -34,6 +50,7 @@ export const isThrottlingError = (e: any) =>
   e.code === 'ConcurrentModificationException' || // Retry for AWS Organizations
   e.code === 'InsufficientDeliveryPolicyException' || // Retry for ConfigService
   e.code === 'NoAvailableDeliveryChannelException' || // Retry for ConfigService
+  e.code === 'ConcurrentModifications' || // Retry for AssociateHostedZone
   e.code === 'TooManyRequestsException' ||
   e.code === 'Throttling' ||
   e.code === 'ThrottlingException' ||

reference-artifacts/Add-ons/opensiem/lib/open-search.ts

@@ -98,7 +98,7 @@ export class OpenSearchDomain extends Construct {
     });
 
     this.resource = new opensearch.CfnDomain(this, 'Domain', {
-      engineVersion: 'OpenSearch_1.1',
+      engineVersion: 'OpenSearch_1.3',
       domainName,
       clusterConfig: {
         dedicatedMasterEnabled: true,
@@ -117,7 +117,7 @@ export class OpenSearchDomain extends Construct {
       ebsOptions: {
         ebsEnabled: true,
         volumeSize,
-        volumeType: 'gp2',
+        volumeType: 'gp3',
       },
       advancedSecurityOptions: {
         internalUserDatabaseEnabled: false,

reference-artifacts/Add-ons/opensiem/lib/opensearch-siem-stack.ts

@@ -23,12 +23,14 @@ import { SnsEventSource } from 'aws-cdk-lib/aws-lambda-event-sources';
 import * as events from 'aws-cdk-lib/aws-events';
 import * as eventTargets from 'aws-cdk-lib/aws-events-targets';
 import * as sns from 'aws-cdk-lib/aws-sns';
+import * as snsSubscriptions from 'aws-cdk-lib/aws-sns-subscriptions';
 import * as sqs from 'aws-cdk-lib/aws-sqs';
 import * as cognito from './siem-cognito';
 import { SiemConfig } from './siem-config';
 import * as opensearch from './open-search';
 import { OpenSearchSiemConfigure } from './siem-configure';
 import { OpenSearchSiemGeoIpInit } from './siem-geoip-download';
+import { Alerts } from './siem-alerts';
 
 export interface OpenSearchSiemStackProps extends StackProps {
   provisionServiceLinkedRole?: boolean;
@@ -251,14 +253,15 @@ export class OpenSearchSiemStack extends Stack {
       siemConfig.s3LogBuckets,
       siemConfig.siemVersion,
       siemConfig.enableLambdaSubscription,
+      siemConfig.enableLambdaInsights,
       siemConfig.s3NotificationTopicNameOrExistingArn,
       siemBucket,
     );
 
-    this.configureSnsAlerts(this, kmsEncryptionKey);
+    this.configureSnsAlerts(this, kmsEncryptionKey, domain.name, siemConfig.alertNotificationEmails);
   }
 
-  configureSnsAlerts(scope: Construct, kmsKey: kms.Key) {
+  configureSnsAlerts(scope: Construct, kmsKey: kms.Key, clusterDomainName: string, alertEmails: string[]) {
     const snsAlertRole = new iam.Role(scope, 'SnsAlertRole', {
       roleName: 'opensearch-siem-sns-role',
       assumedBy: new iam.ServicePrincipal('es.amazonaws.com'),
@@ -270,7 +273,18 @@ export class OpenSearchSiemStack extends Stack {
       masterKey: kmsKey,
     });
 
+    if (alertEmails && alertEmails.length > 0) {
+      for (const email of alertEmails) {
+        snsAlertTopic.addSubscription(new snsSubscriptions.EmailSubscription(email));
+      }
+    }
+
     snsAlertTopic.grantPublish(snsAlertRole);
+
+    new Alerts(scope, 'opensearch-siem-alerts', {
+      alertTopic: snsAlertTopic,
+      clusterDomainName,
+    });
   }
 
   configureSiemProcessor(
@@ -284,6 +298,7 @@ export class OpenSearchSiemStack extends Stack {
     s3LogBuckets: string[],
     siemVersion: string,
     enableTopicSubscription: boolean,
+    enableLambdaInsights: boolean,
     s3NotificationTopicNameOrExistingArn: string,
     geoIpUploadBucket?: s3.Bucket,
   ) {
@@ -294,9 +309,9 @@ export class OpenSearchSiemStack extends Stack {
       code: lambda.Code.fromAsset('lambdas/siem-processor/os-loader.zip'),
       role: lambdaRole,
       handler: 'index.lambda_handler',
-      timeout: Duration.seconds(900),
+      timeout: Duration.minutes(2),
       vpc,
-      memorySize: 2048,
+      memorySize: 512,
       vpcSubnets: {
         subnetFilters: [ec2.SubnetFilter.byIds(domainSubnetIds)],
       },
@@ -310,6 +325,7 @@ export class OpenSearchSiemStack extends Stack {
         GEOIP_BUCKET: geoIpUploadBucket?.bucketName || '',
         SIEM_VERSION: siemVersion,
       },
+      insightsVersion: enableLambdaInsights ? lambda.LambdaInsightsVersion.VERSION_1_0_135_0 : undefined,
     });
 
     for (const logBucket of s3LogBuckets) {