reference deployment

Sumo Logic Security Integrations for AWS Organizations

Automatically collect and centralize security events from multiple AWS accounts

This Quick Start automatically deploys Sumo Logic Security Integrations on the Amazon Web Services (AWS) Cloud. It’s for people who want to provide security analytics across multiple AWS accounts. With this Quick Start, you increase your time to value by configuring the Sumo Logic console for Amazon GuardDuty and AWS CloudTrail at the organization level in AWS Organizations instead of repeating the deployment in each account. With this serverless architecture, you can improve threat detection and response across your organization while adhering to the best practices outlined in the AWS Security Reference Architecture (AWS SRA).

If you want to configure Sumo Logic for 12 AWS services that provide security analytics for a single AWS account, see this Quick Start: Sumo Logic Security Integrations on AWS.

Sumo Logic is focused on continuous intelligence, a category of software that addresses data challenges presented by digital transformations, modern applications, and cloud computing. The Sumo Logic Continuous Intelligence Platform automates the collection, ingestion, and analysis of applications, infrastructure, security, and Internet of Things (IoT) data to derive actionable insights.

This Quick Start uses Sumo Logic Cloud SIEM (security information and incident management) powered by AWS. Sumo Logic Cloud SIEM uses apps to collect security events generated by AWS and other security services to provide an aggregate view of overall security and compliance posture.

Deploying this Quick Start does not guarantee an organization’s compliance with any laws, certifications, policies, or other regulations.

portworx logo

This Quick Start was developed by Sumo Logic in collaboration with AWS. Sumo Logic is an AWS Partner.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • This Quick Start sets up the following:

    • In all current and new AWS accounts and workloads across your organization in AWS Organizations, Amazon GuardDuty to help protect against malicious activity and behavior.
    • In your Security Tooling account:
      • Amazon CloudWatch to relay events to AWS Lambda functions.
      • Lambda integration functions to create a collector and multiple sources and to install apps on your Sumo Logic account.
    • In your Org Management account, AWS CloudTrail to track user activity and API (application programming interface) usage across your entire organization.
    • In your Log Archive account, an Amazon Simple Storage Service (Amazon S3) bucket to capture logs from AWS CloudTrail.
    • Amazon Simple Notification Service (Amazon SNS) to send alerts when a new object is saved to the S3 bucket.
    • The Sumo Logic collector and sources to receive logs from the S3 bucket.
  •  How to deploy
  • To deploy Sumo Logic for AWS Organizations, follow the instructions in the deployment guide. The deployment process takes about 15 minutes and may take longer depending on the number of accounts in your organization. Deployment includes these steps:

    1. Prepare your Sumo Logic account. If you don’t have a Sumo Logic enterprise account, create one at
    2. Sign in to your AWS account. If you don’t have an AWS account, sign up at
    3. Launch the Quick Start. Before you create the stack, choose the AWS Region from the top toolbar.
    4. Test the deployment.
    5. Complete the postdeployment steps.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. This Quick Start deploys Amazon Guard Duty and AWS CloudTrail across all accounts in your organization, incurring costs for these services in each account. Otherwise, there is no additional cost for using the Quick Start. For Sumo Logic pricing information, see the Sumo Logic website.

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, create AWS Cost and Usage Reports to track costs associated with the Quick Start. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information about the report, see What are AWS Cost and Usage Reports?