reference deployment

Sumo Logic Security Integrations for AWS Organizations

Automatically collect and centralize security events from multiple AWS accounts

This Quick Start automatically deploys Sumo Logic Security Integrations on the Amazon Web Services (AWS) Cloud. It's for DevOps and IT operations that want to provide Sumo Logic security analytics across multiple AWS accounts.

With a single deployment, this Quick Start configures your Sumo Logic console for Amazon GuardDuty, AWS CloudTrail, AWS Security Hub, AWS Firewall Manager, and AWS WAF across an entire AWS organization. The serverless architecture follows the AWS Security Reference Architecture (AWS SRA) and uses Sumo Logic Cloud Security Information and Event Management (SIEM) powered by AWS to consolidate logs from AWS and third-party tools.

If you want to configure Sumo Logic for 12 AWS services that provide security analytics for a single AWS account, see this Quick Start: Sumo Logic Security Integrations on AWS.

Deploying this Quick Start does not guarantee an organization’s compliance with any laws, certifications, policies, or other regulations.

portworx logo

This Quick Start was developed by Sumo Logic in collaboration with AWS. Sumo Logic is an AWS Partner.

  •  What you'll build
  • This Quick Start sets up the following:

    • In all current and new AWS accounts in your AWS organization:
      • Amazon GuardDuty to help protect AWS accounts and workloads from malicious activity and report security events to Amazon CloudWatch.
      • AWS Security Hub to assess security alerts and security posture across AWS accounts. Security Hub relays security events to CloudWatch.
      • AWS WAF for a web application firewall to help protect the resources in your organization from common web exploits.
      • AWS Network Firewall to deploy essential network protections for all your Amazon virtual private clouds (VPCs).
      • AWS Firewall Manager to deploy AWS WAF and Network Firewall rules across the VPCs in your organization.
    • In your security tooling account:
      • Amazon CloudWatch to relay security events to AWS Lambda integration functions.
      • Lambda integration functions to do the following: 
        • Create a Sumo collector and multiple sources. A collector is an agent that receives logs from a source before encrypting and forwarding them to a Sumo service. A source is a configuration that collect logs from AWS services. 
        • Install the security apps you select during deployment to your Sumo Logic account.
      • Amazon Kinesis Data Firehose to forward AWS WAF logs to Sumo Logic.
      • An Amazon Simple Storage Service (Amazon S3) bucket to store Network Firewall logs.
      • An Amazon Simple Notification Service (Amazon SNS) topic to publish Network Firewall logs to Sumo Logic.
    • In your organization management account, AWS CloudTrail to track user activity and API usage in the organization.
    •  In your log archive account:
      • An Amazon S3 bucket to store CloudTrail logs.
      • An Amazon Simple Notification Service (Amazon SNS) topic to publish CloudTrail logs to Sumo Logic.
  •  How to deploy
  • To deploy Sumo Logic for AWS Organizations, follow the instructions in the deployment guide. The deployment process takes about 60 minutes. Deployment includes these steps:

    1. Prepare your Sumo Logic account. If you don’t have a Sumo Logic enterprise account, create one at
    2. Sign in to your AWS account. If you don’t have an AWS account, sign up at
    3. Launch the Quick Start. Before you create the stack, choose the AWS Region from the top toolbar.
    4. Test the deployment.
    5. Complete the postdeployment steps.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start reference deployment. This Quick Start deploys Amazon Guard Duty and AWS CloudTrail across all accounts in your organization, incurring costs for these services in each account. Otherwise, there is no additional cost for using the Quick Start. For Sumo Logic pricing information, refer to the Sumo Logic website.

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, create AWS Cost and Usage Reports to track costs associated with the Quick Start. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information about the report, see What are AWS Cost and Usage Reports?