Skip to content

Latest commit

 

History

History

sentinel_forwarder

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
examples/cloudwatch_logs
examples/cloudwatch_logs
 
 
tests
tests
 
 
wrapper
wrapper
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
iam.tf
iam.tf
 
 
input.tf
input.tf
 
 
locals.tf
locals.tf
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 

README.md

Sentinel forwarder

This module sets up a lambda that will forward AWS logs to Azure Sentinel. It is a light wrapper on the code found here (https://github.com/cds-snc/aws-sentinel-connector-layer) and just stitches together the code with the triggers.

Triggers can be EventHub rules, S3 ObjectCreated events, or CloudWatch Log Subscriptions. The following log types are supported:

  • CloudTrail (.json.gz)
  • Load balancer (.log.gz)
  • VPC flow logs (.log.gz)
  • WAF ACL (.gz)
  • GuardDuty
  • SecurityHub (via EventHub)
  • Generic application json logs

You will need to add your Log Analytics Workspace Customer ID and Shared Key. AWS logs are automatically assigned a LogType. Custom application logs are given the log type defined through the var.log_type. They also need to be nested inside a json object with the key, application_log. ex: {'application_log': {'foo': 'bar'}} for the layer code to forward it to Azure Sentinel.

Requirements

Name Version
aws >= 3.46.0

Providers

Name Version
archive n/a
aws >= 3.46.0

Modules

No modules.

Resources

Name Type
aws_cloudwatch_event_target.sentinel_forwarder resource
aws_cloudwatch_log_group.sentinel_forwarder_lambda resource
aws_iam_policy.sentinel_forwarder_lambda resource
aws_iam_policy.sentinel_forwarder_lambda_s3 resource
aws_iam_role.sentinel_forwarder_lambda resource
aws_iam_role_policy_attachment.sentinel_forwarder_lambda resource
aws_iam_role_policy_attachment.sentinel_forwarder_lambda_s3 resource
aws_lambda_function.sentinel_forwarder resource
aws_lambda_permission.sentinel_forwarder_cloudwatch_log_subscription resource
aws_lambda_permission.sentinel_forwarder_events resource
aws_lambda_permission.sentinel_forwarder_s3_triggers resource
aws_s3_bucket_notification.sentinel_forwarder_trigger_notification resource
aws_ssm_parameter.sentinel_forwarder_auth resource
archive_file.sentinel_forwarder data source
aws_caller_identity.current data source
aws_iam_policy_document.lambda_assume_policy data source
aws_iam_policy_document.sentinel_forwarder_lambda data source
aws_iam_policy_document.sentinel_forwarder_lambda_s3 data source
aws_region.current data source

Inputs

Name Description Type Default Required
billing_tag_key (Optional, default 'CostCentre') The name of the billing tag string "CostCentre" no
billing_tag_value (Required) The value of the billing tag string n/a yes
cloudwatch_log_arns (Optional) A list of CloudWatch log ARNs to forward to Sentinel list(string) [] no
customer_id (Required) Azure log workspace customer ID string n/a yes
event_rule_names (Optional) List of names for event rules to trigger the lambda list(string) [] no
function_name (Required) Name of the Lambda function. string n/a yes
layer_arn (Optional) ARN of the lambda layer to use string "arn:aws:lambda:ca-central-1:283582579564:layer:aws-sentinel-connector-layer:20" no
log_type (Optional) The namespace for logs. This only applies if you are sending application logs string "ApplicationLog" no
s3_sources (Optional) List of s3 buckets to trigger the lambda 
list(object({
    bucket_arn    = string
    bucket_id     = string
    filter_prefix = string
    kms_key_arn   = string
  }))
 [] no
shared_key (Required) Azure log workspace shared secret string n/a yes

Outputs

Name Description
lambda_arn The ARN of the Lambda function.
lambda_name The name of the Lambda function.