Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Use of public subnet in audit account for SIEM tool GUI

0

Hi all

I created a landing zone using LZA https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/ for FedRAMP compliance and configured a centralized ingress and egress vpc in a network account as shown in https://aws.amazon.com/blogs/mt/scale-multi-account-architecture-aws-network-firewall-and-aws-control-tower/.

Now I need to deploy SIEM tools in my Audit account as shown in https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html, but those tools needs GUI, so I guess we need to create public subnets in the Audit account.

My question is I created the centralized network account not to create public subnets in any other places, but for SIEM tools I need public subnets in the Audit account. Creating public subnets in the audit account seems like a security breach, is there any other ways to deploy SIEM tools in a secure way?

Thanks.

Topics
Infrastructure as CodeNetworking & Content DeliverySecurity, Identity, & ComplianceAWS Well-Architected Framework
Tags
FedRAMPLanding Zone Accelerator on AWSAmazon VPCSecurity
Language
English
asked a year ago158 views
1 Answer
0

Hello.

Will SIEM tools be installed on EC2?
In that case, I think you can solve the problem by using ALB or NLB.
You can specify an EC2 private IP address as a target for ALB or NLB.
If you create an ALB or NLB in an AWS account with a public subnet and connect it to your Audit account via TransitGateway, you can access it via public.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-register-targets.html#register-ip-addresses

By the way, if you can use AWS ClientVPN or Site to Site VPN, I think public access will not be necessary.
It should also be possible to connect using a private IP address via VPN.
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/how-it-works.html
https://docs.aws.amazon.com/vpn/latest/s2svpn/how_it_works.html

I think it is also possible to access via a springboard server using Systems Manager Session Manager.
This method can be controlled by IAM, so I think it is suitable for your purpose from the perspective of account separation.
https://aws.amazon.com/jp/blogs/mt/use-port-forwarding-in-aws-systems-manager-session-manager-to-connect-to-remote-hosts/

EXPERT
answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content