Implementation
To implement an AWS Security Platform as a Service (PaaS) that provides a unified security operations console, complete the following tasks.
Tasks
Deploy the Security Lake integration framework:
-
Primary configuration: See the config.example.yaml
file in the sample-aws-security-lake-integrations repository on GitHub. Deployment scripts: See the deployment scripts
in the sample-aws-security-lake-integrations repository on GitHub.
Configure Azure Integration using deployment templates:
Azure infrastructure: See the deployment templates
in the sample-aws-security-lake-integrations repository on GitHub. Azure configuration: See the terraform.tfvars
file in the sample-aws-security-lake-integrations repository on GitHub.
Configure GCP Integration using deployment templates located at:
-
GCP infrastructure: See the deployment templates
in the sample-aws-security-lake-integrations repository on GitHub. -
GCP configuration: See the terraform.tfvars
in the sample-aws-security-lake-integrations repository on GitHub.
Configure cross-cloud credentials using automation scripts:
Azure credential configuration: See the configure-secrets-manager.sh
file in the sample-aws-security-lake-integrations repository on GitHub. GCP credential configuration: See the configure-secrets-manager.sh
file in the sample-aws-security-lake-integrations repository on GitHub.
Access the Amazon OpenSearch Service Security Analytics Dashboard to verify multi-cloud data ingestion and unified console functionality.
Validation procedures: See the validation queries and procedures
in the sample-aws-security-lake-integrations repository on GitHub.
To remove all deployed resources, run the following:
cd integrations/security-lake/cdk cdk destroy -c "configFile=config.example.yaml"
Azure resource clean up: Navigate to your Azure Terraform configuration and run the following:
cd integrations/azure/microsoft_defender_cloud/terraform # Preview what will be destroyed terraform plan -destroy
After confirming what will be destroyed, run the following:
# Destroy all resources terraform destroy
GCP resource clean up: Navigate to your GCP Terraform configuration and run the following:
cd integrations/google_security_command_center/terraform # Preview what will be destroyed terraform plan -destroy
After confirming what will be destroyed, run the following:
# Destroy all resources terraform destroy
Supporting documentation URLs
AWS security platform documentation
Amazon OpenSearch Service: https://docs.aws.amazon.com/opensearch-service/
Amazon Security Lake: https://docs.aws.amazon.com/security-lake/
Amazon GuardDuty: https://docs.aws.amazon.com/guardduty/
Amazon Inspector: https://docs.aws.amazon.com/inspector/
AWS Systems Manager: https://docs.aws.amazon.com/systems-manager/
Multi-cloud integration documentation
Security Lake multi-cloud integration: https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html
Systems Manager hybrid activations: https://docs.aws.amazon.com/systems-manager/latest/userguide/activations.html
OpenSearch Security Analytics plug-in: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-analytics.html
Implementation guides
Azure integration guide: Available in the project repository at
https://github.com/aws-samples/sample-aws-security-lake-integrations/blob/main/integrations/azure/microsoft_defender_cloud/README.mdGCP integration guide: Available in the project repository at
https://github.com/aws-samples/sample-aws-security-lake-integrations/blob/main/integrations/google_security_command_center/README.mdSecurity Lake framework: Available in the project repository at
https://github.com/aws-samples/sample-aws-security-lake-integrations/blob/main/integrations/security-lake/cdk/README.md
Conclusion
In this tutorial, we created and showed a comprehensive Security Platform as a Service (PaaS) that delivers the required native, multifunction security operations console:
Native multi-cloud CSPM: Provides built-in connectors for Azure Security Center and GCP Security Command Center with unified OpenSearch dashboard.
Native multi-cloud SIEM: Provides built-in connectors for Azure and GCP log sources with unified Security Analytics console
Native multi-cloud CWPP: Provides built-in connectors for Azure and GCP workload protection with unified threat detection, vulnerability management, and runtime protection
