Skip to main content

Sharing of Platform Operational Data with Security Operations via AWS Data Firehose

Introduction

The Modernisation Platform shares data from a number of sources with the Security Operations team’s Cortex Xsiam platform for purpose of the protective monitoring of the platform and the applications hosted on it.

Categories of data shared with Security Operations

The data is shared using AWS Data Firehose for the following categories of data:

  • Managed member account VPC Flow Log Data via cloudwatch logs.
  • Network firewall inspection log data for live, non-live and external.
  • VPC flow log data for the three network firewall vpcs.
  • VPC flow log data for core-shared-services, core-logging and core-security.

One exception is Cloudtrail log data in S3 held in the core-logging account. This is accessed by a Cortex Xsiam plugin for S3 using SQS that has events published via an Event Notification resource. The plugin uses an IAM user account to access the core-logging account.

Terraform Source

The terraform for these Data Firehose & associated resources can be found here:

  • Managed member account VPC flow log data - https://github.com/ministryofjustice/modernisation-platform/blob/b629292a791bd8ce99b6bff6e0ddd888953cb76a/terraform/environments/core-vpc/vpc.tf#L85

  • Cloudtrail log data - https://github.com/ministryofjustice/modernisation-platform/blob/main/terraform/environments/core-logging/sqs.tf

Each Data Firehose resource has an endpoint & key that is obtained from a common AWS Secrets Manager resource held in the Modernisation Platform account called “xsiam_secrets” for vpc flow logs, firewall logs and r53 resolver logs.

Known Maintenance Requirements

  • The user access key for the IAM account needs to be rotated every 6 months and the new value shared with the SecOps team. See the runbook page for Rotating Secrets for further information.

Known Contacts:

  • Leonardo Marini - Leonardo.Marini@justice.gov.uk. Contractor who implements the Cortex Xsiam endpoints that receive the Firehose transfers. (https://www.paloaltonetworks.com/cortex/cortex-xsiam)

  • The Protective Monitoring Team who will be managing the Cortex Xsiam platform going forward - monitoring-and-integration-platform@justice.gov.uk

This page was last reviewed on 13 June 2024. It needs to be reviewed again on 13 December 2024 by the page owner #modernisation-platform .
This page was set to be reviewed before 13 December 2024 by the page owner #modernisation-platform. This might mean the content is out of date.