A CDK library to ease repetetive construct creation for CrowdStrike data ingestion
Project description
cdk-library-crowdstrike-ingestion
A CDK library to ease repetitive construct creation for CrowdStrike data ingestion.
This library provides a construct that creates an S3 bucket with the necessary configuration for CrowdStrike data ingestion, along with an SQS queue for notifications, an IAM role for access, and optionally a KMS key for encryption.
It also provides another construct that handles creating log group subscriptions to a central bucket, along with the role needed for CloudWatch Logs to create the subscription.
Features
CrowdStrike Bucket Construct
- Creates an S3 bucket with appropriate security settings for CrowdStrike data ingestion
- Creates an SQS queue for bucket notifications with a dead-letter queue
- Creates an IAM role that CrowdStrike can assume to access the data
- Optionally creates a KMS key for encrypting data (to use if the service generating the data wants it)
- Reads CrowdStrike role and external ID from SSM parameters
- Supports organization-wide access for multi-account setups (read from SSM parameter)
- Configures bucket policies for logging if needed
- Provides customization options for all resources
Log Group Subscription Construct
- Creates a CloudWatch Log Group Subscription to forward logs to a central S3 bucket
- Automatically creates the necessary IAM role for CloudWatch Logs to create the subscription
- Supports passing in an existing role if desired
- Allows customization of the filter pattern for the subscription
API Doc
See API
License
This project is licensed under the Apache License, Version 2.0 - see the LICENSE file for details.
Examples
TypeScript
import { Stack, StackProps, Duration, aws_iam as iam, aws_logs as logs } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { CrowdStrikeBucket, CrowdStrikeLogSubscription } from '@renovosolutions/cdk-library-crowdstrike-ingestion';
export class CrowdStrikeIngestionStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
// Basic usage with default settings
new CrowdStrikeBucket(this, 'BasicBucket', {
bucketName: 'my-crowdstrike-bucket',
crowdStrikeRoleParameterArn: 'arn:aws:ssm:us-east-1:123456789012:parameter/custom/crowdstrike/roleArn',
crowdStrikeExternalIdParameterArn: 'arn:aws:ssm:us-east-1:123456789012:parameter/custom/crowdstrike/externalId',
});
// Advanced usage with KMS key and organization access
new CrowdStrikeBucket(this, 'AdvancedBucket', {
bucketName: 'my-advanced-crowdstrike-bucket',
createKmsKey: true,
keyProps: {
alias: 'crowdstrike-key',
enableKeyRotation: true,
description: 'KMS Key for CrowdStrike data encryption',
},
queueProps: {
queueName: 'crowdstrike-notifications',
visibilityTimeout: Duration.seconds(300),
},
roleProps: {
roleName: 'crowdstrike-access-role',
assumedBy: new iam.PrincipalWithConditions(new iam.ArnPrincipal('arn:aws:iam::123456789012:role/CrowdStrikeRole'), {
StringEquals: {
'sts:ExternalId': 'externalId123',
},
}),
},
loggingBucketSourceName: 'my-logging-bucket', // Allow this bucket to send access logs
orgIdParameterArn: 'arn:aws:ssm:us-east-1:123456789012:parameter/custom/crowdstrike/orgId', // Allow all accounts in the organization to write to the bucket
});
// Example of creating a log group subscription
const logGroup = new aws_logs.LogGroup(this, 'MyLogGroup', {
logGroupName: 'my-log-group',
});
const subscription = new CrowdStrikeLogSubscription(stack, 'BasicTestSubscription', {
logGroup,
logDestinationArn: 'arn:aws:logs:us-east-1:123456789012:destination:test-destination',
});
new CrowdStrikeLogSubscription(stack, 'AdvancedTestSubscription', {
logGroup,
logDestinationArn: 'arn:aws:logs:us-east-1:123456789012:destination:another-test-destination',
role: subscription.role,
filterPattern: 'error',
});
}
}
Python
from aws_cdk import (
Stack,
Duration,
aws_iam as iam,
aws_kms as kms,
aws_logs as logs,
)
from constructs import Construct
from crowdstrike_ingestion import ( CrowdStrikeBucket, CrowdStrikeLogSubscription )
class CrowdStrikeIngestionStack(Stack):
def __init__(self, scope: Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Basic usage with default settings
CrowdStrikeBucket(self, 'BasicBucket',
bucket_name='my-crowdstrike-bucket',
crowd_strike_role_parameter_arn='arn:aws:ssm:us-east-1:123456789012:parameter/custom/crowdstrike/roleArn',
crowd_strike_external_id_parameter_arn='arn:aws:ssm:us-east-1:123456789012:parameter/custom/crowdstrike/externalId')
# Advanced usage with KMS key and organization access
CrowdStrikeBucket(self, 'AdvancedBucket',
bucket_name='my-advanced-crowdstrike-bucket',
create_kms_key=True,
key_props={
alias='crowdstrike-key',
enable_key_rotation=True,
description='KMS Key for CrowdStrike data encryption'
},
queue_props={
'queue_name': 'crowdstrike-notifications',
'visibility_timeout': Duration.seconds(300)
},
role_props={
'role_name': 'crowdstrike-access-role',
'assumed_by': iam.PrincipalWithConditions(
iam.ArnPrincipal('arn:aws:iam::123456789012:role/CrowdStrikeRole'),
{'StringEquals': {'sts:ExternalId': 'externalId123'}})
},
logging_bucket_source_name='my-logging-bucket', # Allow this bucket to send access logs
org_id_parameter_arn='arn:aws:ssm:us-east-1:123456789012:parameter/custom/crowdstrike/orgId') # Allow all accounts in the organization to write to the bucket
# Example of creating a log group subscription
log_group = logs.LogGroup(self, 'MyLogGroup', log_group_name='my-log-group')
subscription = CrowdStrikeLogSubscription(self, 'BasicTestSubscription',
log_group=log_group,
log_destination_arn='arn:aws:logs:us-east-1:123456789012:destination:test-destination')
CrowdStrikeLogSubscription(self, 'AdvancedTestSubscription',
log_group=log_group,
log_destination_arn='arn:aws:logs:us-east-1:123456789012:destination:another-test-destination',
role=subscription.role,
filter_pattern='error')
C Sharp
using Amazon.CDK;
using IAM = Amazon.CDK.AWS.IAM;
using KMS = Amazon.CDK.AWS.KMS;
using Logs = Amazon.CDK.AWS.Logs;
using SQS = Amazon.CDK.AWS.SQS;
using Constructs;
using System.Collections.Generic;
using renovosolutions;
namespace CrowdStrikeIngestionExample
{
public class CrowdStrikeIngestionStack : Stack
{
internal CrowdStrikeIngestionStack(Construct scope, string id, IStackProps props = null) : base(scope, id, props)
{
// Basic usage with default settings
new CrowdStrikeBucket(this, "BasicBucket", new CrowdStrikeBucketProps
{
BucketName = "my-crowdstrike-bucket",
CrowdStrikeRoleParameterArn = "arn:aws:ssm:us-east-1:123456789012:parameter/custom/crowdstrike/roleArn",
CrowdStrikeExternalIdParameterArn = "arn:aws:ssm:us-east-1:123456789012:parameter/custom/crowdstrike/externalId"
});
// Advanced usage with KMS key and organization access
new CrowdStrikeBucket(this, "AdvancedBucket", new CrowdStrikeBucketProps
{
BucketName = "my-advanced-crowdstrike-bucket",
CreateKmsKey = true,
KeyProps = new KMS.KeyProps
{
Alias = "crowdstrike-key",
EnableKeyRotation = true,
Description = "KMS Key for CrowdStrike data encryption"
},
QueueProps = new SQS.QueueProps
{
QueueName = "crowdstrike-notifications",
VisibilityTimeout = Duration.Seconds(300)
},
RoleProps = new IAM.RoleProps
{
RoleName = "crowdstrike-access-role"
AssumedBy = new IAM.PrincipalWithConditions(new IAM.ArnPrincipal("arn:aws:iam::123456789012:role/CrowdStrikeRole"), new Dictionary<string, object>
{
{ "StringEquals", new Dictionary<string, string> { { "sts:ExternalId", "externalId123" } } }
})
},
LoggingBucketSourceName = "my-logging-bucket", // Allow this bucket to send access logs
OrgIdParameterArn = "arn:aws:ssm:us-east-1:123456789012:parameter/custom/crowdstrike/orgId" // Allow all accounts in the organization to write to the bucket
});
// Example of creating a log group subscription
var logGroup = new Logs.LogGroup(this, "MyLogGroup", new Logs.LogGroupProps
{
LogGroupName = "my-log-group"
});
var subscription = new CrowdStrikeLogSubscription(this, "BasicTestSubscription", new CrowdStrikeLogSubscriptionProps
{
LogGroup = logGroup,
LogDestinationArn = "arn:aws:logs:us-east-1:123456789012:destination:test-destination"
});
new CrowdStrikeLogSubscription(this, "AdvancedTestSubscription", new CrowdStrikeLogSubscriptionProps
{
LogGroup = logGroup,
LogDestinationArn = "arn:aws:logs:us-east-1:123456789012:destination:another-test-destination",
Role = subscription.Role,
FilterPattern = "error"
});
}
}
}
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file renovosolutions_aws_cdk_crowdstrike_ingestion-0.0.0.tar.gz.
File metadata
- Download URL: renovosolutions_aws_cdk_crowdstrike_ingestion-0.0.0.tar.gz
- Upload date:
- Size: 70.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
63e628d2dc6df75cc9ae74583c5d5f4477ba2e6217ef45c72c88f1f9e71414a9
|
|
| MD5 |
2bb9ca8dd6ddaf6e4202f1b4bb1f5819
|
|
| BLAKE2b-256 |
454d61dafdb72fe8a1d9be0654380f18469be2981f89d4738c8f1089613fa51f
|
File details
Details for the file renovosolutions.aws_cdk_crowdstrike_ingestion-0.0.0-py3-none-any.whl.
File metadata
- Download URL: renovosolutions.aws_cdk_crowdstrike_ingestion-0.0.0-py3-none-any.whl
- Upload date:
- Size: 68.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
73632da116a1cb58e2ac914d96d1340a525f6261107786e1117818023733dcff
|
|
| MD5 |
c218b1ca5542ae563d002d76d109aa40
|
|
| BLAKE2b-256 |
f2d7f8b4fb6c0c45b17ca7fcdfc5c8bc4259a48f656c4141e842ea18c6c84880
|
