Skip to content

aws-samples/sample-identifying-unrouteable-traffic-using-transit-gateway

Blackhole Capture - Using Transit Gateway Flow Logs based solution to create an efficient network monitoring architecture with proactive detection capabilities.

Capture all of those packets being sent into a blackhole.

Prerequisites

The prerequisite CloudFormation stacks are used to set up any resources that we do not want to set up using the CDK project. For example, we don't want to check in secrets in the code, but some CDK stacks depend on secrets existing. The CFN templates for any prerequisite resources are found in the /prerequisites folder.

CDK

This CDK project creates the infrastructure needed to capture and analyze network traffic that would otherwise be dropped into a blackhole. Run the command cdk deploy --all to deploy the stacks. The deployment can be configured to work across multiple AWS accounts depending on your organizational structure.

Bootstrapping

This project can be deployed across multiple AWS accounts. To allow a central deployment account to deploy into target accounts, you will need to bootstrap the target accounts in each region you are deploying to. For example, if the deployment account is 111111111111 and the target account is 444444444444, you can bootstrap the target account with the following command: cdk bootstrap 444444444444/us-east-2 --no-bootstrap-customer-key --cloudformation-execution-policies 'arn:aws:iam::aws:policy/AdministratorAccess' --trust 111111111111 --trust-for-lookup 111111111111 This command tells CDK to bootstrap the target account 444444444444 in the us-east-2 region and allow the deployment account 111111111111 to assume both deployment and read-only (lookup) roles deployed by CDK in the target account.

CDK Context

The cdk.json file is used to load runtime context values that can be associated with an app, stack, or construct using self.node.try_get_context. For more information about the CDK context and how it is used, please see the Runtime context documentation. This project uses the runtime context to define the following properties:

Name Description
flowLogsBucketName The name of the S3 bucket that contains the VPC flow logs
regionalCidrs The CIDRs that represent each supported region
supportedRegions The regions that the Blackhole VPC will be deployed to
configAggregatorId The ID of the Config Aggregator to use

Components

  • Attachment CIDR Collector - Uses AWS Config Aggregator to collect the CIDR blocks of source and destination Transit Gateway attachments. Can be configured to work across accounts using cross-account roles.
  • Networking - Creates a VPC with flow logs enabled for traffic capture
  • Logging - Creates an S3 bucket to store the flow logs
  • Monitoring - Creates Lambda functions to read and process the flow logs
  • Notification - Creates Lambda functions that will be notified when source/destination TGW attachments are identified

About

No description, website, or topics provided.

Resources

License

Code of conduct

Contributing

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages