Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

AWS CloudFormation Stack Updates

Updated Jan 25, 2024

Update AWS CloudFormation Stacks

You can update the CloudFormation stacks that Arctic Wolf® provides in an Amazon Web Services (AWS) account.

Notes:

  • Occasionally, Arctic Wolf offers service enhancements to our AWS log collection that require you to update the CloudFormation stacks in your account to the latest version. Your Concierge Security® Team (CST) will advise you about when you need to follow this process.
  • In December 2021, the CloudFormation template used for CloudTrail and Amazon GuardDuty implementations was updated to automatically block public access during Simple Storage Service (S3) bucket creation. If you did not manually configure your implementation to block public access during S3 bucket creation, Arctic Wolf recommends this process to update your CloudFormation stack.

Before you begin

Steps

  1. Access CloudFormation in the AWS Management Console.
  2. Select your preferred region.
  3. Update other CloudFormation stacks.
  4. Verify the GuardDuty KMS key.

Step 1: Access CloudFormation in the AWS Management Console

  1. Sign in to the AWS Management Console.

  2. Verify that your user or role has the appropriate permissions:

    • If your organization uses IAM roles:

      1. In the menu bar, click your username, and then select Switch Role.
      2. Follow the prompts to assume a new role with the appropriate permissions.
    • If your organization does not use IAM roles, or you have the appropriate permissions, go to the next step.

    • If your organization uses AWS Control Tower, complete Configure CloudTrail Monitoring with AWS Control Tower, using the AWSControlTowerExecutionRole role.

  3. In the menu bar, click Services > CloudFormation to access the CloudFormation console.

Step 2: Select your preferred region

  1. In the navigation menu, click Region.
  2. Select your preferred region.

Step 3: Update CloudFormation stacks

Update your CloudFormation stacks when there are configuration enhancements. For example, the Python 3 Lambda upgrade that affected the CloudFormation stack for S3 bucket log monitoring.

For each CloudFormation stack, complete these steps:

Note: See Configure AWS Account Monitoring for all AWS configuration options.

  1. On the Stacks page, in the search bar, enter your base stack name. For example ArcticWolf.

  2. Select the corresponding stack from the Stack list.

    Tip: Nested stacks include a prefix. To make sure you choose the base stack, check the stack name for the <--Stack Name--> prefix.

  3. In the actions bar, click Update.

  4. In the Prerequisite - Prepare template section, select Replace current template.

  5. In the Specify template section, for template source, select Amazon S3 URL.

  6. On a new browser tab, sign in to the MDR Dashboard to retrieve the AWS stack link.

  7. In the navigation menu, click your organization name, and then select Arctic Wolf IP Addresses.

  8. In the AWS CloudFormation Stack Links section, if the stack name is:

    • ArcticWolf or similar — Copy the CloudTrail stack URL.
    • ArcticWolf-S3LogForward or similar — Copy the Simple Storage Service (S3) Logs stack URL.
  9. On the CloudFormation browser tab, in the Specify template section, for the Amazon S3 URL, enter the URL you copied in the previous step.

  10. Click Next.

  11. On the Specify stack details page, click Next.

    Note: Do not adjust settings on the Specify stack details page, unless your CST® requests it.

  12. On the Configure stack options page, click Next.

    Note: Do not adjust settings on the Configure stack options page, unless your CST® requests it.

  13. On the Review page, in the Capabilities section, select all checkboxes.

    Note: Make sure these checkboxes are also selected:

    • I acknowledge that AWS CloudFormation might create IAM resources with custom names
    • I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND

    CloudFormation provides a preview of stack changes.

  14. Click Update stack.

    CloudFormation begins updating stacks and resources in your account, prefixed with the stack name property.

  15. Verify that the Status column value of your stack changes to UPDATE_COMPLETE.

    Stacks are successfully updated.

  16. Contact your Concierge Security® Team to inform them that you completed this process.

Step 4: Verify the GuardDuty KMS key

For each region that you have Amazon GuardDuty monitoring configured, complete these steps:

  1. Sign in to the GuardDuty console.
  2. In the navigation menu, click Settings.
  3. In the Findings export options section, in the S3 bucket setting, click Edit.
  4. In the Key Alias section, do one of these actions:
    • If your personal KMS key is selected, no action is required.
    • If a key without an alias is selected, select AWNKMSKey from the list, and then click Save.