Skip to content

Latest commit

 

History

History
93 lines (68 loc) · 11 KB

HowToMigrateToV3.md

File metadata and controls

93 lines (68 loc) · 11 KB

How to migrate to BLEA v3

See Release note to check differences with v2.

Summary

Each use case was comprised of multiple stacks in BLEA v2, but v3 changed to a single-stack configuration (using multiple stacks only when needed, such as the multi-region guest system sample). Therefore, migrating to v3 requires deleting and re-creating stacks that have already been deployed. This migration guide shows the impact on services that hold logs and findings, such as AWS CloudTrail, AWS Config, and AWS Security Hub.

Stack configuration in BLEA v2 and impact of resource re-creation

*If Impact of resource re-creation is “-”, it means that resource deletion and re-creation have no effect.

BLEAChatbotStack (Standalone, Multi-account)

Types of resources Logical ID Behavior of stack destruction Impact of resource re-creation
aws_iam.Role ChatbotRole Delete -
aws_chatbot.CfnSlackChannelConfiguration ChatbotChannel Delete -

BLEAConfigRulesStack (Standalone, Multi-account)

Types of resources Logical ID Behavior of stack destruction Impact of resource re-creation
aws_config.ManagedRule BLEARuleDefaultSecurityGroupClosed Delete -
aws_iam.Role RemoveSecGroupRemediationRole Delete -
aws_config.CfnRemediationConfiguration RmDefaultSg Delete -

BLEAIamStack (Standalone, Multi-account)

Types of resources Logical ID Behavior of stack destruction Impact of resource re-creation
aws_iam.ManagedP○licy SysAdminPolicyetc. Delete -
aws_iam.Role SysAdminRoleetc. Delete -
aws_iam.Group SysAdminGroupetc. Delete -

BLEASecurityAlarmStack (Standalone, Multi-account)

Types of resources Logical ID Behavior of stack destruction Impact of resource re-creation
aws_sns.Topic SecurityAlarmTopic Delete -
aws_events.Rule BLEARuleConfigRulesetc. Delete -
aws_logs.MetricFilter IAMPolicyChangeetc. Delete -
aws_cloudwatch.Alarm IAMPolicyChangeAlarmetc. Delete -

BLEATrailStack (Standalone, Multi-account)

Types of resources Logical ID Behavior of stack destruction Impact of resource re-creation
aws_s3.Bucket ArchiveLogsBucket Retain -
aws_s3.Bucket CloudTrailBucket Retain A new S3 bucket is created to store the CloudTrail trail.
To search for trails recorded in v2 on Amazon Athena, you need to query different data sources.
aws_kms.Key CloudTrailKey Retain A new CMK is created to encrypt the CloudWatch Logs LogGroup that records CloudTrail events.
If you keep LogGroup that is created in v2, you should to keep the old CMK.
aws_logs.LogGroup CloudTrailLogGroup Retain A new CloudWatch Logs LogGroup is created to record CloudTrail events.
To search event logs recorded in v2, you need to query different LogGroup.
aws_cloudtrail.Trail CloudTrail Delete -

BLEAConfigCtGuardrailStack (Standalone)

Types of resources Logical ID Behavior of stack destruction Impact of resource re-creation
CfnInclude ConfigCtGr Delete -

BLEAConfigStack (Standalone)

Types of resources Logical ID Behavior of stack destruction Impact of resource re-creation
aws_iam.Role ConfigRole Delete -
aws_config.CfnConfigurationRecorder ConfigRecorder Delete Configuration item that was previously recorded is not deleted when you delete Config Recorder.
You can access it after re-enabling Config Recorder.
Ref:delete-configuration-recorder
aws_s3.Bucket ConfigBucket Retain A new S3 bucket is created to store AWS Config configuration item.
To search configuration item recorded in v2, you need to query different data sources.
aws_config.CfnDeliveryChannel ConfigDeliveryChannel Delete -

BLEAGuarddutyStack (Standalone)

Types of resources Logical ID Behavior of stack destruction Impact of resource re-creation
aws_guardduty.CfnDetector GuardDutyDetector Delete -

BLEASecurityHubStack (Standalone)

Types of resources Logical ID Behavior of stack destruction Impact of resource re-creation
aws_iam.CfnServiceLinkedRole RoleForSecurityHub Delete -
aws_securityhub.CfnHub SecurityHub Delete A new Security Hub resource is re-created. The existing detection results will be deleted after 90 days when Security Hub was disabled.
You need to complete migration process during 90 days after disabling Security Hub.
Ref:Disabling Security Hub

How to migrate

  1. Destroy all stacks of BLEA v2
    • In terminal, run npx aws-cdk destroy --all -c environment={environment name} --profile {profile} when you keep the source code of BLEA v2
    • In AWS management console, go to CloudFormation console, destroy all stacks of BLEA v2
  2. Update BLEA v2 source code to BLEA v3
  3. Deploy BLEA v3