Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protective Monitoring - Cloudtrail Events #6614

Closed
5 tasks
mikereiddigital opened this issue Mar 26, 2024 · 4 comments
Closed
5 tasks

Protective Monitoring - Cloudtrail Events #6614

mikereiddigital opened this issue Mar 26, 2024 · 4 comments
Assignees
@mikereiddigital

Comments

@mikereiddigital
Copy link
Contributor

mikereiddigital commented Mar 26, 2024
edited by dms1981
Loading

User Story

As a platform engineer we have been asked by the SecOps team (as part of the current Protective Monitoring work) to include Cloudtrail events as a dataset to be shared with them. As this is new requirement to the current PM work, this new ticket has been created.

Value / Purpose

This has been requested by the SecOps team and the scope of this needs to be properly assessed.

Useful Contacts

No response

Additional Information

Contacts - leonardo.marini@justice.gov.uk

Proposal / Unknowns

Definition of Done

  • Documentation has been written / updated
  • README has been updated
  • User docs have been updated
  • Another team member has reviewed
  • Tests are green
@dms1981 dms1981 assigned dms1981 and unassigned dms1981 Apr 2, 2024
@mikereiddigital mikereiddigital moved this from To Do to In Progress in Modernisation Platform Apr 4, 2024
@mikereiddigital mikereiddigital self-assigned this Apr 4, 2024
@mikereiddigital
Copy link
Contributor Author

Currently looking into how we use a firehose stream (and so most of the existing module) where the source of the data is an s3 bucket rather than a cloudwatch log group.

@mikereiddigital
Copy link
Contributor Author

The SecOps team want to follow this approach - https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Ingest-Audit-Logs-from-AWS-Cloud-Trail - the key question here being whether they can access the SQS queue via another account that they are already authenticated to or whether they will require more direct access. Will be talking again to Leo today to confirm this.

@mikereiddigital
Copy link
Contributor Author

PR for the SQS resources - https://github.com/ministryofjustice/modernisation-platform/pull/6718/files

@mikereiddigital
Copy link
Contributor Author

After a few more issues, SecOps are able to access the SQS & S3 and all appears to be working. Will monitor it tomorrow in case any issues are raised.

@mikereiddigital mikereiddigital moved this from In Progress to Done in Modernisation Platform Apr 11, 2024
@dms1981 dms1981 mentioned this issue Jun 27, 2024
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mikereiddigital mikereiddigital

Labels
None yet
Projects
Modernisation Platform
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dms1981 @mikereiddigital @davidkelliott @SimonPPledger