Blackhole Capture - Using Transit Gateway Flow Logs based solution to create an efficient network monitoring architecture with proactive detection capabilities.
Capture all of those packets being sent into a blackhole.
The prerequisite CloudFormation stacks are used to set up any resources that we do not want to set up using the CDK
project. For example, we don't want to check in secrets in the code, but some CDK stacks depend on secrets existing. The
CFN templates for any prerequisite resources are found in the /prerequisites folder.
This CDK project creates the infrastructure needed to capture and analyze network traffic that would otherwise be dropped into a blackhole. Run the
command cdk deploy --all to deploy the stacks. The deployment can be configured to work across multiple AWS accounts
depending on your organizational structure.
This project can be deployed across multiple AWS accounts. To allow a central deployment account to deploy
into target accounts, you will need to bootstrap the target accounts in each region you are deploying to. For
example, if the deployment account is 111111111111 and the target account is 444444444444, you can bootstrap the target
account with the following command:
cdk bootstrap 444444444444/us-east-2 --no-bootstrap-customer-key --cloudformation-execution-policies 'arn:aws:iam::aws:policy/AdministratorAccess' --trust 111111111111 --trust-for-lookup 111111111111
This command tells CDK to bootstrap the target account 444444444444 in the us-east-2 region and allow the
deployment account 111111111111 to assume both deployment and read-only (lookup) roles deployed by CDK in the target
account.
The cdk.json file is used to load runtime context values that can be associated with an app, stack, or
construct using self.node.try_get_context. For more information about the CDK context and how it is used, please see
the Runtime context documentation.
This project uses the runtime context to define the following properties:
| Name | Description |
|---|---|
| flowLogsBucketName | The name of the S3 bucket that contains the VPC flow logs |
| regionalCidrs | The CIDRs that represent each supported region |
| supportedRegions | The regions that the Blackhole VPC will be deployed to |
| configAggregatorId | The ID of the Config Aggregator to use |
- Attachment CIDR Collector - Uses AWS Config Aggregator to collect the CIDR blocks of source and destination Transit Gateway attachments. Can be configured to work across accounts using cross-account roles.
- Networking - Creates a VPC with flow logs enabled for traffic capture
- Logging - Creates an S3 bucket to store the flow logs
- Monitoring - Creates Lambda functions to read and process the flow logs
- Notification - Creates Lambda functions that will be notified when source/destination TGW attachments are identified