Update AWS CloudFormation Stacks

You can update the CloudFormation stacks that Arctic Wolf® provides in an Amazon Web Services (AWS) account.

These actions are required:

  • Verify that the AWS user or IAM role that you are using includes the AdministratorAccess or an equivalent IAM policy, and permissions to access the AWS Management Console. This user or role must have permissions to create, update, and delete these stacks and dependent resources:
    • CloudFormation stacks
    • CloudTrail trails
    • Amazon CloudWatch Logs log groups
    • IAM roles and managed policies
    • Lambda functions and custom resources
    • Kinesis Firehose delivery streams
    • S3 buckets
    • SNS topics and topic policies
  • Delete the ArcticWolf-GuardDuty stack, if you previously created it.
  • Remove these deprecated stacks:
    Note:

    If you previously configured Amazon GuardDuty using an Arctic Wolf stack, delete this stack from each of the configured regions. Then, complete Configure Amazon GuardDuty for Arctic Wolf monitoring to enable Amazon GuardDuty across multiple regions.

    • ArcticWolf-CloudWatchLogs
    • ArcticWolf-SystemsManagerLogs
    • ArcticWolf-GuardDuty
    • AWS monitoring in additional regions
Note:
  • Occasionally, Arctic Wolf offers service enhancements to our AWS log collection that require you to update the CloudFormation stacks in your account to the latest version. Your Concierge Security® Team (CST) advises you when you need to follow this process.
  • In December 2021, the CloudFormation template used for CloudTrail and Amazon GuardDuty implementations was updated to automatically block public access during Simple Storage Service (S3) bucket creation. If you did not manually configure your implementation to block public access during S3 bucket creation, Arctic Wolf recommends this process to update your CloudFormation stack.

Access CloudFormation in the AWS Management Console

  1. Sign in to the AWS Management Console.
  2. Verify that your user or role has the appropriate permissions:
    • If your organization uses IAM roles:
      1. In the menu bar, click your username, and then select Switch Role.
      2. Follow the prompts to assume a new role with the appropriate permissions.
    • If your organization does not use IAM roles, or you have the appropriate permissions, go to the next step.
    • If your organization uses AWS Control Tower, complete Configure CloudTrail monitoring with AWS Control Tower, using the AWSControlTowerExecutionRole role.
  3. In the menu bar, click Services > CloudFormation to access the CloudFormation console.

Select your preferred region

  1. In the navigation menu, click Region.
  2. Select your preferred region.

Update CloudFormation stacks

When there are configuration enhancements, complete these steps to update each CloudFormation stack.

Configuration enhancements could include a Python 3 Lambda upgrade that affects the CloudFormation stack for S3 bucket log monitoring.

Note: For all AWS configuration options, see Configure AWS for Arctic Wolf monitoring.
  1. On the Stacks page, in the search bar, enter your base stack name. For example ArcticWolf.
  2. Select the corresponding stack from the Stack list.
    Tip:

    Nested stacks include a prefix. To make sure you that choose the base stack, check the stack name for the --Stack Name-- prefix.

  3. In the actions bar, click Update.
  4. In the Prerequisite - Prepare template section, select Replace current template.
  5. In the Specify template section, for template source, select Amazon S3 URL.
  6. On a new browser tab, sign in to the Arctic Wolf Unified Portal to retrieve the AWS stack link.
  7. In the Amazon Web Services (AWS) Monitoring section, if the stack name is:
    • ArcticWolf or similar — Copy the CloudTrail stack URL.
    • ArcticWolf-S3LogForward or similar — Copy the Simple Storage Service (S3) Logs stack URL.
  8. On the CloudFormation browser tab, in the Specify template section, for the Amazon S3 URL, enter the URL you copied in the previous step.
  9. Click Next.
  10. On the Specify stack details page, click Next.
    Note: Do not adjust settings on the Specify stack details page, unless your Concierge Security® Team (CST) requests it.
  11. On the Configure stack options page, click Next.
    Note:

    Do not adjust settings on the Configure stack options page, unless your CST requests it.

  12. On the Review page, in the Capabilities section, select all checkboxes.
    Note:

    Make sure that these checkboxes are also selected:

    • I acknowledge that AWS CloudFormation might create IAM resources with custom names
    • I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND

    CloudFormation provides a preview of stack changes.

  13. Click Update stack.

    CloudFormation begins updating stacks and resources in your account, prefixed with the stack name property.

  14. Verify that the Status column value of your stack changes to UPDATE_COMPLETE.

    Stacks are successfully updated.

  15. Contact your CST to inform them that you completed this process.

Verify the GuardDuty KMS key

For each region that you have Amazon GuardDuty monitoring configured, complete these steps:

  1. Sign in to the GuardDuty console.
  2. In the navigation menu, click Settings.
  3. In the Findings export options section, in the S3 bucket setting, click Edit.
  4. In the Key Alias section, do one of these actions:
    • If your personal KMS key is selected, no action is required.
    • If a key without an alias is selected, select AWNKMSKey from the list, and then click Save.