Overview:

CrowdStrike’s pay-as-you-go listing for Falcon Next-Gen SIEM in AWS Marketplace includes a new automated setup experience that automatically provisions the AWS resources required for deployment using AWS CloudFormation. After subscribing through AWS Marketplace, customers are guided through a step-by-step configuration wizard to complete setup and begin using the solution.

This article highlights the most common deployment issues customers may encounter during deployment and provides guidance on how to resolve them.

Common Issues and How to Resolve them

1. Deployment must be initiated from the AWS Organizations management account

• CrowdStrike Next-Gen SIEM can only be deployed from the AWS Organizations management account (or a delegated admin account, if supported) using an administrator-level role. Because the deployment creates cross-account roles and permissions across the entire organization, management-account access is required to ensure consistent and secure configuration. This is the recommended approach because it aligns with best practices for AWS organization setup and security architecture.
• Customers using standalone accounts or attempting deployment from a member account will not be able to complete setup.

2. CloudFormation StackSet failure due to missing trusted access

• The onboarding flow deploys cross-account resources using AWS CloudFormation StackSets. For this to work, trusted access for AWS CloudFormation must be enabled in AWS Organizations. In many organizations this is not enabled by default, which causes the deployment to fail during StackSet operations even though the CloudFormation stack initially launches.
• When trusted access is disabled, customers may see an error such as:

Resource handler returned message: "You must enable organizations access to operate a service managed stack set (Service: CloudFormation, Status Code: 400, Request ID: ) (SDK Attempt Count: 1)" (RequestToken: , HandlerErrorCode: InvalidRequest)

• To resolve this issue, ensure that CloudFormation trusted access is enabled from the AWS Organizations console under the management account.

• Navigate to CloudFormation StackSets page to verify trusted access is enabled. For more information, refer to the AWS documentation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html

3. Access and Permissions Requirements

• As the deployment integrates with multiple AWS services to automate SIEM deployment and data collection across your AWS organization, the solution uses CloudFormation to configure essential resources including:

  • IAM roles
  • CloudTrail S3 bucket configurations
  • KMS permissions
  • EventBridge rules
  • SQS queues
  • Lambda functions
  • Secrets Manager

• Note: For customers with AWS Security Hub or Amazon GuardDuty enabled, the solution automatically configures the necessary EventBridge rules to connect these services to Next-Gen SIEM, further streamlining the deployment process.

• Marketplace subscription permissions:

  • Users must have permission to subscribe to SaaS products in AWS Marketplace, including the ability to create the Marketplace deployment service-linked role.
  • For more details, see: https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html

Support Path Options

1. For problems signing up for NG-SIEM product on Marketplace

   • Reach out to CrowdStrike support at AWSMP@CrowdStrike.com

2. Problems with AWS services involved in deployment (e.g., CloudFormation, IAM)

   • Create technical support case with AWS
     • https://docs.aws.amazon.com/awssupport/latest/user/case-management.html
   • If you do not have a support contract with AWS, contact CrowdStrike support AWSMP@CrowdStrike.com

This article was co-authored by John Dittmer and Krutarth Doshi.