See Release note to check differences with v2.
Each use case was comprised of multiple stacks in BLEA v2, but v3 changed to a single-stack configuration (using multiple stacks only when needed, such as the multi-region guest system sample). Therefore, migrating to v3 requires deleting and re-creating stacks that have already been deployed. This migration guide shows the impact on services that hold logs and findings, such as AWS CloudTrail, AWS Config, and AWS Security Hub.
*If Impact of resource re-creation is “-”, it means that resource deletion and re-creation have no effect.
Types of resources | Logical ID | Behavior of stack destruction | Impact of resource re-creation |
---|---|---|---|
aws_iam.Role |
ChatbotRole |
Delete | - |
aws_chatbot.CfnSlackChannelConfiguration |
ChatbotChannel |
Delete | - |
Types of resources | Logical ID | Behavior of stack destruction | Impact of resource re-creation |
---|---|---|---|
aws_config.ManagedRule |
BLEARuleDefaultSecurityGroupClosed |
Delete | - |
aws_iam.Role |
RemoveSecGroupRemediationRole |
Delete | - |
aws_config.CfnRemediationConfiguration |
RmDefaultSg |
Delete | - |
Types of resources | Logical ID | Behavior of stack destruction | Impact of resource re-creation |
---|---|---|---|
aws_iam.ManagedP○licy |
SysAdminPolicy etc. |
Delete | - |
aws_iam.Role |
SysAdminRole etc. |
Delete | - |
aws_iam.Group |
SysAdminGroup etc. |
Delete | - |
Types of resources | Logical ID | Behavior of stack destruction | Impact of resource re-creation |
---|---|---|---|
aws_sns.Topic |
SecurityAlarmTopic |
Delete | - |
aws_events.Rule |
BLEARuleConfigRules etc. |
Delete | - |
aws_logs.MetricFilter |
IAMPolicyChange etc. |
Delete | - |
aws_cloudwatch.Alarm |
IAMPolicyChangeAlarm etc. |
Delete | - |
Types of resources | Logical ID | Behavior of stack destruction | Impact of resource re-creation |
---|---|---|---|
aws_s3.Bucket |
ArchiveLogsBucket |
Retain | - |
aws_s3.Bucket |
CloudTrailBucket |
Retain | A new S3 bucket is created to store the CloudTrail trail. To search for trails recorded in v2 on Amazon Athena, you need to query different data sources. |
aws_kms.Key |
CloudTrailKey |
Retain | A new CMK is created to encrypt the CloudWatch Logs LogGroup that records CloudTrail events. If you keep LogGroup that is created in v2, you should to keep the old CMK. |
aws_logs.LogGroup |
CloudTrailLogGroup |
Retain | A new CloudWatch Logs LogGroup is created to record CloudTrail events. To search event logs recorded in v2, you need to query different LogGroup. |
aws_cloudtrail.Trail |
CloudTrail |
Delete | - |
Types of resources | Logical ID | Behavior of stack destruction | Impact of resource re-creation |
---|---|---|---|
CfnInclude |
ConfigCtGr |
Delete | - |
Types of resources | Logical ID | Behavior of stack destruction | Impact of resource re-creation |
---|---|---|---|
aws_iam.Role |
ConfigRole |
Delete | - |
aws_config.CfnConfigurationRecorder |
ConfigRecorder |
Delete | Configuration item that was previously recorded is not deleted when you delete Config Recorder . You can access it after re-enabling Config Recorder . Ref:delete-configuration-recorder |
aws_s3.Bucket |
ConfigBucket |
Retain | A new S3 bucket is created to store AWS Config configuration item. To search configuration item recorded in v2, you need to query different data sources. |
aws_config.CfnDeliveryChannel |
ConfigDeliveryChannel |
Delete | - |
Types of resources | Logical ID | Behavior of stack destruction | Impact of resource re-creation |
---|---|---|---|
aws_guardduty.CfnDetector |
GuardDutyDetector |
Delete | - |
Types of resources | Logical ID | Behavior of stack destruction | Impact of resource re-creation |
---|---|---|---|
aws_iam.CfnServiceLinkedRole |
RoleForSecurityHub |
Delete | - |
aws_securityhub.CfnHub |
SecurityHub |
Delete | A new Security Hub resource is re-created. The existing detection results will be deleted after 90 days when Security Hub was disabled. You need to complete migration process during 90 days after disabling Security Hub. Ref:Disabling Security Hub |
- Destroy all stacks of BLEA v2
- In terminal, run
npx aws-cdk destroy --all -c environment={environment name} --profile {profile}
when you keep the source code of BLEA v2 - In AWS management console, go to CloudFormation console, destroy all stacks of BLEA v2
- In terminal, run
- Update BLEA v2 source code to BLEA v3
- Pull and merge BLEA v3 source code from GitHub
- Copy parameters from
cdk.json
toparameter.ts
. See 4-1. Set deployment parameters
- Deploy BLEA v3
- Deploy BLEA v3 with 4-2. Deploy a governance base
- Migration is complete if there are no errors