Help Documentation

Cloud Detection and Response

AWS CloudFormation Stack Updates

Updated Aug 31, 2023

Update AWS CloudFormation Stacks

This guide describes how to upgrade the CloudFormation stacks that Arctic Wolf® provides in an Amazon Web Services® (AWS) account.

Note: Occasionally, Arctic Wolf offers service enhancements to our AWS log collection that require you to update the CloudFormation stacks in your account to the latest version, such as when we add additional functionality. Your Concierge Security® Team (CST) will advise you about when you need to follow this process.

Before you begin

Before you begin updating your stacks:

Access CloudFormation in the AWS Management Console

  1. Sign in to the AWS management console.

  2. Ensure your user or role has the appropriate permissions:

    • If your organization uses IAM roles:

      1. In the navigation bar, click your user name, and then select Switch Role.
      2. Follow the prompts to assume a new role with the appropriate permissions.

    • If your organization does not use IAM roles, or you have the appropriate permissions — Proceed to step 2.

    • If your organization uses AWS Control Tower — Use the AWSControlTowerExecutionRole as outlined in Configure CloudTrail Monitoring with AWS Control Tower.

  3. Access the CloudFormation console:

    1. In the navigation bar, click Services to access the AWS service list.

    2. Type or select CloudFormation from the list.

Select your preferred region

  1. In the navigation bar, open the Region list.

    Tip: The Region list is located beside your user name.

  2. Select your preferred region.

Update CloudFormation stacks

This section describes how to update CloudFormation stacks.

Note: You need to repeat the steps in this section for all of your CloudFormation stacks. For more information about other stacks that you can update with the Amazon S3 template URL, see Update other CloudFormation stacks.

  1. On the Stacks page, search for your base stack name, such as ArcticWolf, and then select the corresponding stack from the stack list.

    Tip: Nested stacks include a prefix. To ensure you choose the base stack, check the stack name for the <--Stack Name--> prefix.

  2. In the Actions bar, click Update.

  3. Choose a template:

    1. Select Replace current template.
    2. Select Amazon S3 URL to use the Amazon S3 URL template.

  4. In a new tab, sign in to the Arctic Wolf Portal to retrieve the AWS stack link.

  5. In the navigation bar, click on your organization name to open the dropdown menu, and then select Arctic Wolf IP Addresses.

  6. Navigate to the AWS CloudFormation Stack Links section. If the stack name is:

    • ArcticWolf or similar — Copy and paste the CloudTrail stack link from the Arctic Wolf Portal into the Amazon S3 URL text box, and then click Next.

    • ArcticWolf-S3LogForward or similar — Copy and paste the Simple Storage Service (S3) Logs stack link from the Arctic Wolf Portal into the Amazon S3 URL text box, and then click Next.

  7. On the Specify stack details page, do not make any changes, and then click Next to move to the Options page.

    Note: Do not adjust settings on the Specify stack details page unless instructed otherwise by your CST.

  8. On the Configure stack options page, do not make any changes, and then click Next to move to the Review page.

  9. On the Review page, scroll to the Capabilities section and select all checkboxes, including:

    • I acknowledge that AWS CloudFormation might create IAM resources with custom names
    • I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND

    CloudFormation then provides a preview of stack changes.

  10. After the page loads, click Update stack to continue.

    CloudFormation begins updating stacks and resources in your account, prefixed with the stack name property.

  11. Verify that the Status column value of your stack changes to UPDATE_COMPLETE.

    Stacks are successfully updated.

  12. Let your CST know that you completed this process.

Update other CloudFormation stacks

Depending on the currently configured stacks in your AWS account, repeat the update process for one or more CloudFormation stacks in each AWS region that you want Arctic Wolf to monitor. You should also remove the stacks specified in Deprecated stacks as part of your stack updates.

Update your CloudFormation stacks when there are configuration enhancements, such as the Python 3 Lambda upgrade, that affected the CloudFormation stack for S3 bucket log monitoring.

To update other CloudFormation stacks:

  1. Confirm the name of the CloudFormation stack that you want to update, for example ArcticWolf-S3LogForward for S3 bucket log monitoring.

  2. Proceed to Update CloudFormation stacks.

  3. Repeat these steps as necessary to update other CloudFormation stacks.

See Configure AWS Account Monitoring for all AWS configuration options.

Verify the GuardDuty KMS key

If you have GuardDuty monitoring configured, verify the KMS key after completing the CloudFormation stack updates. If you configured GuardDuty monitoring using the Arctic Wolf KMS key instead of a personal key, you must ensure that AWNKMSKey is selected.

  1. Sign in to the GuardDuty console.
  2. In the navigation pane, click Settings.
  3. In the Findings export options section, under S3 bucket, click Edit.
  4. Under Key Alias, verify the KMS key:
    • If your personal KMS key is selected, no action is required.
    • If a key without an alias is selected, select AWNKMSKey from the dropdown list, and then click Save.
  5. Repeat these steps as necessary for other regions with GuardDuty monitoring configured.

Deprecated stacks

These Arctic Wolf AWS stacks are deprecated and you can remove them: