This blogpost provides you with instructions on how to update the AWS SRA in your CfCT environment. With just a handful of steps you can easily update this on your own to make sure that you always have the current version installed.
What does SRA provide?
The AWS Security Reference Architecture GitHub Repository provides you a broad range of security services including granular parameterization. You can enable services like GuardDuty, define which services you want to manage or include a solution which for example notifies you when you have unencrypted EBS volumes. With all these settings in two files you save a lot of time on developing custom build StackSets which you would need to manage yourself. AWS SRA follows the Best-Practices approach and sets delegated administrator for services where it makes sense. It is under constant development supplying you with the newest services and solutions AWS launches. You can find further information about this Repo on the following link.
Unfortunately so far SRA doesn’t provide an update procedure which results in adding new services as separate StackSets outside of SRA - not a really smooth solution.
As we faced this issue in our environment too we took a deeper look at the whole SRA setup process and what we need to touch to be able to update the framework. Indeed we then were able to update our SRA with just a small amount of easy steps. Just follow the instructions below!
How to Update SRA:
The whole code for the SRA services and solution is located in a S3 Bucket named sra-staging-ACCOUNTID-REGION in the account from where you deployed this solution.
First step is to create a folder named archive and to move all folders inside this S3 Bucket to the archive folder. This is done in case anything goes wrong on the following steps, you are still able to roll back.
If you now look at the root directory of the S3 Bucket it should look like this:
Now open the CodeBuild console and click on the CodeBuild project sra-codebuild-project
This CodeBuild project calls the public SRA GitHub repository and copies all the files to the S3 Bucket. So in case it detects that the folders are not present, it will copy them again. This will enable us to get the most recent version of the SRA solutions.
To achieve this, run “Start build” for the CodeBuild project. After around 5 minutes, the run should show as successful:
As new solutions may also include new available parameters, this is the next step we need to check. When first setting up SRA you download a manifest.yaml and a sra-easy-setup.yaml.
Download these files again with the curl command provided on the SRA instruction page:
Open the files in your IDE and compare them to the current SRA files in your repo.
Do this with both, the manifest.yaml and the sra-easy-setup.yaml. Transfer the new content to your existing file, do not replace them! These files include all the parameters you set and you don’t want them to be overwritten.
After you finished this step, you can push your changes and wait for your CodePipeline to update the SRA StackSet.
In case you did everything correct, your StackSet Update should be green and you can now use the new SRA features!
About Me
Hi! My name is Jana, I live in the Southwest of Germany and when I'm not smashing weights in the gym I love to architect solutions in AWS making my and the customers lives easier.
My computer science journey started as an On-Premise System Administrator over the time developing to an AWS Architect. As I know both the "old" and "new" world, I know common pain points in architectures and being able to provide solutions to solve them and making them not even more efficient but also cheaper!
I enjoy to learn and as the AWS portfolio is evolving all the time, I also try to stay up to date by getting certified and checking out newly launched products and services.
If you want to lift your environment either to the cloud or want to leverage your already migrated environment to use more of the cloud services, hit me up or check out Public Cloud Group GmbH!
About PCG
Public Cloud Group supports companies in their digital transformation through the use of public cloud solutions.
With a product portfolio designed to accompany organisations of all sizes in their cloud journey and competence that is a synonym for highly qualified staff that clients and partners like to work with, PCG is positioned as a reliable and trustworthy partner for the hyperscalers, relevant and with repeatedly validated competence and credibility.
We have the highest partnership status with the three relevant hyperscalers: Amazon Web Services (AWS), Google, and Microsoft. As experienced providers, we advise our customers independently with cloud implementation, application development, and managed services.
