Integrating Alert Logic Managed Detection and Response with AWS Control Tower

Introduction

My customers have increasingly adopted a multi-account architecture to manage and separate their workloads. AWS Control Tower enables a customer to set up and govern a secure, multi-account AWS environment based on best practices recommended by AWS. Complementing the automation that AWS Control Tower provides for account provisioning and guardrails, Alert Logic has developed an automated solution for integration with AWS Control Tower.

Alert Logic MDR helps you identify and respond to attacks through combination of security platform, threat intelligence abilities, and access to security experts.

In this blog post, Pavel, Chris, and I show how to build scalable Alert Logic MDR deployments that integrate with AWS Control Tower Account Factory. This solution allows you to activate, deploy, and configure Alert Logic MDR into an AWS Control Tower environment consistently. With the provided template and implementation guide, you can reduce the number of steps required to deploy of Alert Logic MDR. You can also use AWS Control Tower lifecycle events to automatically deploy Alert Logic MDR on new AWS accounts.

Alert Logic MDR integration with AWS Control Tower

Alert Logic MDR uses automation to integrate with AWS Control Tower lifecycle events, including the following:

• Perform prerequisite steps to set up Alert Logic MDR in an AWS account vended by AWS Control Tower Account Factory.
• Register the AWS account in the Alert Logic MDR portal to initiate asset discovery and security assessment.
• Set up ingestion of AWS CloudTrail logs into the Alert Logic MDR platform.
• Detect tags in Amazon Virtual Private Clouds (AWS VPCs) with Alert Logic identifiers and automatically include them in the protection scope of Alert Logic MDR.
• Deploy Alert Logic MDR scanning and Intrusion Detection System (IDS) appliances to the target VPCs based on the protection scope.

This automation automatically configures Alert Logic MDR on either a new or existing AWS account when enrolled in to AWS Control Tower using Account Factory. The protection scope automatically includes new or existing VPCs with Alert Logic specific tags identifier assigned.

Solution overview

When AWS Control Tower is deployed on the master account, it creates two additional shared accounts for log archive and audit purposes. We recommend you create a new security account for shared services such as Alert Logic MDR.

Within your AWS Control Tower environment, the log archive account holds a centralized Amazon Simple Storage Service (Amazon S3) bucket to store the shared accounts’ AWS CloudTrail logs. The CloudTrail logs are configured to send notifications to the Amazon Simple Notification Service (Amazon SNS) topic in the linked audit account. In the log archive account, Amazon Simple Queue Service (Amazon SQS) ingests CloudTrail logs into the Alert Logic MDR platform. This solution creates an Amazon SQS queue in the log archive account and subscribes it to the Amazon SNS CloudTrail topic in the audit account.

Here is how the solution works:

1. AWS Control Tower publishes the lifecycle events after successful enrollment of AWS accounts. The lifecycle event invokes the AWS Lambda function to deploy the AWS CloudFormation StackSet instance into the new AWS account. Refer to the following diagram.

2. The StackSet instance creates the required prerequisite Identity and Access Management (IAM) role for Alert Logic MDR. It also sends a notification to an SNS topic located in the security account. Refer to the following diagram.

3. In the security account, a Lambda function is subscribed to this SNS topic. When this Lambda function runs, it registers the new AWS account into Alert Logic MDR. Refer to the following diagram.

4. When the user updates a VPC by adding or removing an AWS tag with the Alert Logic identifier, this operation generates an event. Refer to the following diagram.

5. The events are forwarded by the EventBridge rule to the security account where another Lambda function updates the protection scope in Alert Logic MDR platform. Refer to the following diagram.

6. Alert Logic MDR platform automatically scans and deploys the security appliances to the new AWS account based on the registration information and the deployment scope. Refer to the following diagram.

Deploying Alert Logic MDR integration in your AWS Control Tower

For this walkthrough, you must already have AWS Control Tower deployed and be subscribed to Alert Logic MDR via AWS Marketplace. Alert Logic provides an implementation guide for this solution; refer to it for step-by-step instructions and technical support. If you want to examine the AWS CloudFormation templates and all AWS resources deployed, visit Alert Logic’s resources in GitHub.

I used the provided implementation guide to deploy the solution in my AWS Control Tower master account. I have intentionally set the parameter Protect All VPCs in each region = False to trigger VPC protection scope via AWS tags. I also set the parameter VPC Tags to protect with the key value pair alertlogic:true. In the next section, I demonstrate how the Alert Logic MDR integrates with AWS Control Tower.

Integration with AWS Control Tower lifecycle events

In this walkthrough, I create a new AWS account and test Alert Logic MDR integration with the AWS Control Tower lifecycle event trigger. I use the AWS Control Tower Account Factory console to enroll a new AWS account. To do that, navigate to the AWS Control Tower console, select Account Factory from the left sidebar, and select Enroll account.

I enter all parameters for my new AWS account and choose Enroll account. AWS Control Tower starts the account creation and deploys its guardrails and best practice configurations.

While the account creation and guardrail application are in progress, I now check what was deployed simultaneously in the Alert Logic MDR console. I log into the Alert Logic MDR console to verify that my existing AWS accounts are protected. My newly created AWS account is not here yet because AWS Control Tower is still applying the configuration and guardrails.

I review all the assets discovered by Alert Logic MDR from my AWS accounts and verify the protection scope as shown. The following image of the Alert Logic Discovery screen shows an illustration of my assets discovered.

When the new AWS account creation in AWS Control Tower is complete, I find it registered automatically in the Alert Logic MDR console. The following screenshot shows my Alert Logic Deployment page with five accounts, including the one I just created.

Automate the Alert Logic MDR scope of protection

The new AWS account doesn’t have any workload yet. To simulate the scenario of selecting deployment scope per VPC, I do the following:

• Log in to my new AWS account from AWS Single Sign-On (AWS SSO). If you don’t know the link to your AWS SSO user portal, follow the tips here to find out.
• I log in to my new AWS account and select VPC from the list of service. In the VPC console, I select VPC Dashboard and use the VPC wizard to launch a new simple VPC.
• From the VPC console, I choose Your VPCs and select the newly created VPC. I navigate to Tags tab and add a new tag (alertlogic:true). Behind the scene, this action triggered the Lambda function in the security account to send request to Alert Logic Rest API. The request adds the VPC ID into Alert Logic MDR protection scope.
• I navigate to the Alert Logic MDR console and select the new AWS account deployment. To check the scope of protection, in the left sidebar, I select Scope of Protection. It indicates the account is part of the protection scope by showing a green icon.
• From the AWS EC2 console, I navigate to Auto Scaling Groups (ASG) console. I found two ASG created by Alert Logic MDR. Both ASG are configured in subnets within the VPC that I created earlier. Within minutes, the Alert Logic security appliances are deployed to scan and protect this VPC.

From here, I can hand over this new account to my team. They can now install Alert Logic agents if they run a workload on EC2 instances or deploy the Alert Logic Web Application Firewall (WAF) to protect a web service. I also included instructions to my team on how to add the alertlogic tag into a new VPC should they want to build a new one. They can use AWS CloudFormation to deploy a new VPC as part of Infrastructure as a Code (IaaC). As long as they include the right tags, I can be sure that Alert Logic MDR is automatically deployed.

Conclusion

In this blog post, I showed you how Alert Logic MDR integrates with AWS Control Tower. I demonstrated how to use AWS Control Tower lifecycle events to automate the registration of a new AWS account in Alert Logic MDR. I also showed you how to add a new VPC into a protection scope automatically by using Alert Logic Rest API.

This solution is offered by Alert Logic an AWS Advanced Technology Partner. You can find their service offering in AWS Marketplace. Detail about this solution can be found in Solutions for AWS Control Tower in AWS Marketplace. For more information about Alert Logic offering, see the Alert Logic website.

About the authors

	Welly Siauw Welly Siauw is a Senior Technical Account Manager at AWS. Welly enjoys working with AWS customers in solving architectural, operational, and cost optimization challenges.
	Pavel Trakhtman Pavel Trakhtman has been with Alert Logic for 14 years holding various positions in Engineering and Product Management. Currently, in his role as a VP of Product Management, he is responsible for partner enablement and integrations.
	Chris Noell Chris Noell is Head of Product for Alert Logic. Chris has been a leader for Managed Service and SaaS companies in the security industry for 22 years, including NTT Solutionary and Verisign.