AWS CloudFormation Stack Updates
Updated Aug 31, 2023Update AWS CloudFormation Stacks
This guide describes how to upgrade the CloudFormation stacks that Arctic Wolf® provides in an Amazon Web Services® (AWS) account.
Note: Occasionally, Arctic Wolf offers service enhancements to our AWS log collection that require you to update the CloudFormation stacks in your account to the latest version, such as when we add additional functionality. Your Concierge Security® Team (CST) will advise you about when you need to follow this process.
Before you begin
Before you begin updating your stacks:
-
Verify that the AWS user or IAM role that you are using includes the AdministratorAccess or an equivalent IAM policy, as well as permissions to access the AWS Management Console. This user or role must have permissions to create, update, and delete stacks and dependent resources. These resources include:
- CloudFormation stacks
- CloudTrail trails
- CloudWatch Logs log groups
- IAM roles and managed policies
- Lambda functions and custom resources
- Kinesis Firehose delivery streams
- S3 buckets
- SNS topics and topic policies
Tip: For more information about AWS Management Console, see the AWS documentation and FAQ on the AWS website.
-
If the
ArcticWolf-GuardDuty
stack was already created, you need to delete it. -
Review your stacks for any deprecated stacks to remove them as part of the update process. See Deprecated stacks for more information.
Access CloudFormation in the AWS Management Console
-
Sign in to the AWS management console.
-
Ensure your user or role has the appropriate permissions:
-
If your organization uses IAM roles:
- In the navigation bar, click your user name, and then select Switch Role.
- Follow the prompts to assume a new role with the appropriate permissions.
-
If your organization does not use IAM roles, or you have the appropriate permissions — Proceed to step 2.
-
If your organization uses AWS Control Tower — Use the AWSControlTowerExecutionRole as outlined in Configure CloudTrail Monitoring with AWS Control Tower.
-
-
Access the CloudFormation console:
-
In the navigation bar, click Services to access the AWS service list.
-
Type or select CloudFormation from the list.
-
Select your preferred region
-
In the navigation bar, open the Region list.
Tip: The Region list is located beside your user name.
-
Select your preferred region.
Update CloudFormation stacks
This section describes how to update CloudFormation stacks.
Note: You need to repeat the steps in this section for all of your CloudFormation stacks. For more information about other stacks that you can update with the Amazon S3 template URL, see Update other CloudFormation stacks.
-
On the Stacks page, search for your base stack name, such as
ArcticWolf
, and then select the corresponding stack from the stack list.Tip: Nested stacks include a prefix. To ensure you choose the base stack, check the stack name for the
<--Stack Name-->
prefix. -
In the Actions bar, click Update.
-
Choose a template:
- Select Replace current template.
- Select Amazon S3 URL to use the Amazon S3 URL template.
-
In a new tab, sign in to the Arctic Wolf Portal to retrieve the AWS stack link.
-
In the navigation bar, click on your organization name to open the dropdown menu, and then select Arctic Wolf IP Addresses.
-
Navigate to the AWS CloudFormation Stack Links section. If the stack name is:
-
ArcticWolf or similar — Copy and paste the CloudTrail stack link from the Arctic Wolf Portal into the Amazon S3 URL text box, and then click Next.
-
ArcticWolf-S3LogForward or similar — Copy and paste the Simple Storage Service (S3) Logs stack link from the Arctic Wolf Portal into the Amazon S3 URL text box, and then click Next.
-
-
On the Specify stack details page, do not make any changes, and then click Next to move to the Options page.
Note: Do not adjust settings on the Specify stack details page unless instructed otherwise by your CST.
-
On the Configure stack options page, do not make any changes, and then click Next to move to the Review page.
-
On the Review page, scroll to the Capabilities section and select all checkboxes, including:
- I acknowledge that AWS CloudFormation might create IAM resources with custom names
- I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
CloudFormation then provides a preview of stack changes.
-
After the page loads, click Update stack to continue.
CloudFormation begins updating stacks and resources in your account, prefixed with the stack name property.
-
Verify that the Status column value of your stack changes to UPDATE_COMPLETE.
Stacks are successfully updated.
-
Let your CST know that you completed this process.
Update other CloudFormation stacks
Depending on the currently configured stacks in your AWS account, repeat the update process for one or more CloudFormation stacks in each AWS region that you want Arctic Wolf to monitor. You should also remove the stacks specified in Deprecated stacks as part of your stack updates.
Update your CloudFormation stacks when there are configuration enhancements, such as the Python 3 Lambda upgrade, that affected the CloudFormation stack for S3 bucket log monitoring.
To update other CloudFormation stacks:
-
Confirm the name of the CloudFormation stack that you want to update, for example
ArcticWolf-S3LogForward
for S3 bucket log monitoring. -
Proceed to Update CloudFormation stacks.
-
Repeat these steps as necessary to update other CloudFormation stacks.
See Configure AWS Account Monitoring for all AWS configuration options.
Verify the GuardDuty KMS key
If you have GuardDuty monitoring configured, verify the KMS key after completing the CloudFormation stack updates. If you configured GuardDuty monitoring using the Arctic Wolf KMS key instead of a personal key, you must ensure that AWNKMSKey
is selected.
- Sign in to the GuardDuty console.
- In the navigation pane, click Settings.
- In the Findings export options section, under S3 bucket, click Edit.
- Under Key Alias, verify the KMS key:
- If your personal KMS key is selected, no action is required.
- If a key without an alias is selected, select
AWNKMSKey
from the dropdown list, and then click Save.
- Repeat these steps as necessary for other regions with GuardDuty monitoring configured.
Deprecated stacks
These Arctic Wolf AWS stacks are deprecated and you can remove them:
-
ArcticWolf-CloudWatchLogs
-
ArcticWolf-SystemsManagerLogs
-
ArcticWolf-GuardDuty
-
AWS monitoring in additional regions
Note: If you previously configured GuardDuty using an Arctic Wolf stack, you can delete this stack from each of the configured regions, and follow the instructions in Configure Amazon GuardDuty Monitoring to enable GuardDuty across multiple regions.