Big SIEM Energy at Micro-SIEM Cost

Hello everybody welcome to this talk the title of this talk is Big Sim energy so without further Ado please welcome our speaker Kenneth K over to [Applause] you hello uh so big Sim energy at microsim Cost my name is Kenneth K I'm with Jupiter one we're a startup um I'll tell you all about Jupiter 1 if you want to hear about it after the presentation but this this is not really about Jupiter 1 itself it's about something that I discovered while I was working at Jupiter 1 I'm uh one of the security Architects at Jupiter 1 uh as a startup we wear many hats so I do more than just security architecture stuff uh and one

of the things that I did as I'm going through there is how can I get the most bang for our buck well one of the things that a startup is really concerned about is exactly that we don't have a whole lot of funding uh we don't have like a huge Revenue income yet because we're still trying to build out the business so how can I get all the things that a security team is supposed to be doing without having to pay the kind of money that uh well off well established companies can afford to do so Sims are expensive we all know that anybody who has dealt with Sims or uh Security in general know that these

things are not uh cheap there are two general pricing models there's a pricing model by volume meaning gigabytes terabytes pedabytes however much data you have and then there's another pricing model that's based on events uh in the a lot of my talk is going to be focused on AWS because my company is very AWS centered so your mileage may vary if you're talking about a Zur or gcp but with respect to AWS guard duty is very event centered it counts the number of events that it evaluates and it charges you based on those per million events and then there are these build your own uh solutions they still need to be hosted somewhere so you're

still paying for the compute you're still paying for the storage you're still paying for the networking activity Plus on top of that you have to pay for somebody to go in there and actually build the thing and then maintain it whether you're talking about building detections or if you're talking about actually building the VMS or the containers or whatever you're going to be using to do it somebody's got to do that and if you just hand it off to a member of the security team they've got another job on top of that which is to actually respond to the security incidents to actually secure things and double check stuff so then you've got a order of a person dedicated to

maintaining infrastructure that is critical to making sure that you don't miss something and you don't get popped not very not a very good look when you're talking to investors and other companies and saying hey we're a startup where we want to go out and IPO and stuff but we can't prove to you that a Sim is working well so matano while it's open source and I love open source not a really good fit for us in particular simply because we don't have the manpower to do it right so what do we do instead I looked at the documentation rtfm and you'll notice uh this is a very common thing with with hackers in general not that I would consider myself

among the El lead of hackers or anything but I've got the kind of mindset take advantage of things right so if you read the documentation that is presented to you from AWS about all these different Services you find out how their pricing models are they they want you to know their pricing models but I'm not sure that they know exactly what their pricing models are themselves like I don't know if there's a lot of cross talk between the different uh people responsible for the different services in AWS so what I found was that cloud trail has a certain pricing model eventbridge has a different type of pricing model SNS has its own pricing model and chatbot which is a fairly

recent uh addition to the AWS service list which is I don't know 286 in growing Services uh they all have different pricing models and chatbot is free at least right now so if you add these things together you can build yourself a micro SIM now one thing that has always bothered me about Sims I've been doing security for almost 20 years now in various contexts and one thing that's always bothered me about a Sim that you either purchase out of the box and you run it in your own on premises installation or it's a managed service or something like that is that yes it comes out of the box with a whole bunch of detections great you don't have to

worry about building your own detections but on the other hand it comes out of the box with a whole bunch of detections that may or may not apply to your environment and that's where we get noise and we get analyst fatigue and we get a whole bunch of overhead that you have to staff up and this is where the traditional sock comes from you have 20 people sitting there paying attention to all these alerts and dismissing 99% of them as false positives because they're just noise or they're acceptable within your environment they're normal for your environment so that is very in my opinion that's a very topown approach here's all of these rules turn them all

on and then filter out the noise well you could could also build a bottom up you could take a look at your environment and use a threat modeling approach and O wasp has a free version uh threat Dragon Microsoft has a threat modeling program that they give away for free if you're in a Microsoft environment but the whole point is if you do a threat model you can take an you can identify fairly easily in your environment your architecture your processes your applications whatever it is and you can find out these are the critical points that need to be protected Above All Else these are the actions that we worry about these are the things that keep us up at night and

what you can then do is you can build detections around those most critical key components and Implement them first and maybe later on if you're a startup and you get more funding and you get more people on board you can go out and you can buy one of the big Sims that have a thousand in one rules that are going to go off at all times the day and night and half of them don't apply to you in the first place or you can start off with just analyzing your environment detecting where the biggest threats are and then custom building a couple of rules that say Hey this should never happen in our environment and if it does

wake somebody up and that way you eliminate all the noise by designing it based on the threats to your environment as opposed to just taking a blank slate of the here's all of these rules that you should be paying attention to and not to not to denigrate any Sim provider whatsoever but a lot of them are still looking backwards the rule sets that they provide are applied generally speaking to Legacy envir Ms environments that are that are architected in a legacy way for on premises servers and banks with people maintaining them and installations that have uh a lot of different aspects associated with like the the CIA Triad well one of the things that we do at least at Jupiter 1 is

we're a cloud native company and we're following the DI Triad I don't know if anybody got to see Sunil U's uh keynote this morning I worked at I worked with Sunil U years ago when he developed the DI Triad and then Coincidence of coincidence he got hired at uh Jupiter 1 about a month before I got hired at Jupiter one which was kind of serendipitous I've always liked working with him and his the D Triad that he developed makes so much sense to the cloud native world world design your applications design your infrastructure not just your applications but design your infrastructure to be distributed by default nothing sits on one server everything sits on multiple servers

distributed across multiple regions therefore it can't be taken down unless you take all of Amazon down and if you take all of Amazon down we've got bigger problems than worrying about whether or not Jupiter 1 is available to our customers it has to be immutable now how do you make something immutable well that's really a challenge because there isn't really a way to do that to guarantee immutability within AWS but if you build your cicd pipeline for development such that the engineers can't actually log into your AWS console and make changes then and it has to go through the checks it has to go through the peer reviews and things like that then what you have is essentially the

equivalent of immutable infrastructure and you can by threat modeling your environment as I was mentioned before mentioning earlier you can say none of these things should change unless they come from our cicd Pipeline and if you put that monitoring in it's very easy to see if an attacker compromises an account somewhere because they're not going to know that they're going to go in there and try to change a Lambda in place and that's going to set off an alarm and you're going to know about it so distributed immutable and then Emeral you can't attack something that doesn't exist and lambdas are a great idea are a great example of that containers less so but a Lambda is not

actually out there you can't take advantage of it unless you have called it and if your application like ours is a web-based application and we've got uh strict cross- s sit uh origin policy and we've got content security policies and things things like that you can't call our apis unless it's from unless it's going through the Gateway that authorizes those things make sure that you have the the correct permission both the offn and offz to do that and so at none of this infrastructure exists to be attacked 99% of the time it only exists when it's executing the function the website itself is a combination of 50 different Lambda calls or so that only are running long enough to return the

information back to your browser your browser caches it and displays it to you and it's working but there's nothing on the server side in the cloud that's actually working at the time there's nothing to attack so by following these principles we can design a cloud native application that really makes it easier for us to uh secure whatever we're doing and is not necessarily very relevant to Legacy detections created by Sims that have been working for the past you know 20 years and trying to help companies out containers a little bit less so because containers generally live a little bit longer than lambdas do but if you have a policy in place that causes your caners to be recycled and then

rebuilt from the the static image mitigates most of that too so putting it all together and you'll notice the note up there in the corner this is the the documentation gotcha that I noticed you hit an event it gets sent to cloud trail of course you have to configure cloud trail in your environment but um all management events the first copy of all management events that go to cloud trail is free management events contain a whole lot of different things especially as uh regards the configuration of your assets whether your Lambda is configur configured to run now or it can run for a long time or something like that that's all part of management events now

the actual code that you have in your Lambda that's a data event uh so you have to you have to enable data events which has a an indidual cost to it but in this example that I'm going to work through we're talking about management events because the first copy is free and then you can send that to eventbridge now eventbridge as as the comment here says it charges you for every evaluation just like guard Duty guard Duty does however it doesn't charge you for default Service events what is that a default service is a service that's turned on for you by default or default service turned on for you by default it's a default service in

your AWS account something like the login service in order to log into your AWS account the login service has to be running before or you log in or else you can't log in it's default and event Bridge doesn't charge you for evaluating events from default Services whatever is turned on by uh By Design By automatic anything that you turn on that is extra so for example cloud trail is not a default service it's not always turned on you have to turn it on so if there's something that is generated by the cloud trail service itself that you want to to um evaluate then you're going to get charged in event bridge for it because it's not a default service but the

signin service is now I've got the dashed line here leading to lambdas because I'm not doing that I'm actually going to do a demo and show you how to do this live and if the if the internet gods are not with me I have a recorded version uh just in case but you could as an output from event Bridge feed that over to a Lambda and let's say you have a very well-known remediation set a set of remediation steps for something that goes wrong on a not common basis in your environment you could have the output of that event Bridge rule say fire off this Lambda to fix the problem because we regularly have salespeople that get themselves

locked out of their email accounts for sending too many emails and that's something that we need to just handle automatically I don't want my security people having to deal with that it's not a security event it comes in over the wire but I don't want my people dealing with that and it's a known easy set of remediation steps that I can programmatically access via apis so I might Implement that as a Lambda in this case what I uh I forgot to mention earlier the use case that I'm I'm walking through on this is a root user login and I I specify user because sometimes users in accounts get kind of confusing depending upon which uh Cloud

native platform you're working on in AWS an account is basically a container that holds all of your functions and users and stuff like that the root user is created when you create a new AWS account it has root access to everything in there and best practices state that after you created your root user you go through and you create an admin user or an admin role that people can assume in that environment and that's how you actually manipulate the environment or the account you should never log in with your root user unless you're doing stuff that requires root user access so it should be very very rare few and far in between and so what we're going to be

setting up here is a detection that says if the root user logs in let me know now what I can do with that is I can go and I can check with the engineering team hey did you guys log in with this is that on purpose where's the documentation do you have a ticket for it do you have authorization Etc and if everybody comes back and says no I don't know what you're talking about I can hit the big red button and we can do something about it it's not it's not something that I can necessarily put a Lambda in to take care of because there's some questionable Parts in there that require a little bit of uh human

interaction but for the most part it's a fairly simple thing and I can handle that so the output of the event Bridge can go to a Lambda or it can go to an SNS talk topic it can go to an sqsq depending on how you want to manage things I'm having it go to an SNS Topic in this case and then the SNS topic sends to chatbot chatbot is listening for basically a it's not sending because um SNS is is a message CU technology but chatbot is listening to that topic and if and if a message comes up on that topic then chatbot is going to send it to my slack right now AWS chatbot has

two outputs it has Amazon chime and it has slack they say in their documentation that they're going to introduce other avenues but who knows uh for this example I'm using slack because that's what we're using so this is some example code I ran in terraform my environment we use a cicd pipeline we use infrastructure as code and this is all example code you're not going to see Jupiter one code here but um this is an example of the rule in eventbridge that's looking for the root user login and you'll notice that the the condition is Success a successful login by the root user I don't really care too much about failure but I could put that in there if I just wanted to

keep track of it for whatever reason again because we're using the source on here says AWS do signin that is a default AWS service and therefore we don't get charged for event Bridge Ru uh rules constructed around that so I'm not paying for guard duty to evaluate this and I'm not paying for event bridge to evaluate this but it's still getting evaluated now I do have to pay for the SNS topic because that that part is not free but the uh since this is a management event I'm not paying for cloud trail since this is a default service event I'm not paying for event Bridge uh I am paying for SNS topics and chatbot is currently free so three out

of the four steps in this I'm not paying anything for and then we've got some more uh terraform configuration infrastructure as code is a really a great way to do something like this especially if you're trying to find follow the D Triad where things once they're in production are immutable because you can't change this stuff without going through the cic pipeline people have to peer review it they have to approve it etc etc and then you need to set up the SNS topic as well and uh then you need to enable chatbot there's one gotcha about the chapot you can't do it through code entirely because because you have to go log in with a user that has permission

to enable that service for the account and that user the person that has that role or that that user account also has to have enough permissions in your slack workspace to connect AWS to your slack workspace so you have to have somebody or two people standing by to to coordinate efforts to get that done but once it's turned on then you can go back to terraform and you can configure everything in code again you don't have to worry about it too much now you'll notice down here at the bottom it says guardrail policies and I chose the guard rail policy AWS deny all the chatbot service is designed to be interactive the AWS concept is that you can put a

chatbot into your slack and then you can interact with AWS and change things by giving commands to the chatbot but the thing is that the chatbot uh is scoped to the channel that it's in so anybody in the slack Channel where this where the AWS slackbot is sitting can issue any command that that chatbot is authorized to take and it will do it on their behalf and the logs will show just that the chatbot did it so I don't know if Alice did it I don't know if Bob did it I don't know if hacker X did it somebody in that channel did it and sure maybe I have slack logs and I can go

back through and investigate and find out who did what but that's just a really poor practice that I'm not going to do I just want to be notified that something happened I don't want to manage it from slack I have no problem logging into the console and doing what needs to be done and then making the changes in code getting it approved Etc so I put in the AWS deny all now anybody who has heard about the capital 1 breach a couple of years ago knows that it was a misunderstanding about how the uh S3 buckets are configured with respect to permissions that allowed that to happen in the first place so when we talk about

that the AWS deny all isn't enough you got to lock that chatbot down which means more more and more there are at least four different ways that I discovered that you can kind of bypass some of the chatbot restrictions if you know what you're doing so I have like four different sections restricting what chatbot can do this is a readon chatbot it tells me something and that's it won't respond to any questions won't do anything and then once that happens this is what it looks like once I've got that configured once I've got it in place this is what this is the message that I get in slack that says a console login uh sign was detected this is the user

this is what happened Etc and you can use that link to to check it out uh if you have a a role or a user with permission to investigate that sort of thing you could then ingest this uh you could also injest this into a different Sim if you wanted to or some sort of Splunk like thing for forensic analysis I mean you can do whatever you want to do on the other end of that but this is basically the beginning and end of everything that that I'm doing in this one this is one rule rule that I know is important to my environment that I want to be able to monitor that costs me

pennies compared to doing the same thing in guard Duty or some other managed Sim or matano or anything like that now I forgot to mention this at the at the beginning but if anybody has any questions as I'm going along please raise your hand and let me know there's time at the end for questions but I'd rather take them organically as we go along so I'll pause just for a second here does anybody have any questions yeah is there of

um so the question was just in case anybody couldn't hear it does is there a way to allow for persistence with respect to the event Bridge rules and yes you can the event Bridge rule is not smart enough to say wait until this triggers 20 times but you can have an event Bridge rule that says look for this root user login and then put it on this SNS topic and then you can have another event Bridge rule that's looking for that SNS topic and what it's looking for is that SNS topic to fire 20 times in 5 minutes something like that so by chaining chaining the event rules together you can do that and this really

starts to get into building your own SIM from the ground up which may or may not be worth your time and investment yeah you would be you would be charged for the SNS topic from event Bridge rule one to event Bridge rule who you would be charged for event Bridge rule 2 evaluation and then for event Bridge rule 2's SNS topic out to your chatbot so it's still cheaper than using guard duty but not you know 75% cheaper like what I'm doing any other questions at this time yeah yourself yeah um this is just an example of one rule but like I said I was using threat modeling to identify where the weakest points in my

infrastructure were the things that were most critical to detect and then I could build rules based off of that and only worry about those which eliminates a whole lot of noise out of my environment and fulfills all the you know we all of our critical and high vulnerability issues that uh we determin from our threat modeling we can provide Assurance to our customers that yes we are indeed taking care of those and then later on when we have the Staffing for it we'll start you know handling lot more of the things that are a lot more fuzzy like maybe they're going to be important maybe they won't any other questions at this time because if not then we're going to get

into a demo and I'm going to do it for you live yeah all right uh so you should be able to to see this hopefully that's readable in the back I tested it out earlier it should be good but here's the code just like the code that I was showing in that screenshot this is it now this is all part of my um open- Source public GitHub repository so you're not going to see anything in here that is uh specific to Jupiter 1 or anything like that but this is all in my GitHub repository there's a link at the end of the of this so you can get access to it and get this presentation too but

what you can see is I have this right here cloud trail this is uh infrastructure set up we've got to set up some infrastructure it's not necessarily part of the demo itself but you got to have cloud trail or else you have no data to feed into the event Bridge uh S3 is where you store your cloud trail data KMS is so that you can encrypt your cloud trail data because honestly nobody should be looking at your logs unless it's your security people it shouldn't be accessible to just anybody and then there's the event Bridge rule just like what I was showing in the in the screen capture here's the definition of the SNS topic and the

attachment of the PO the policy and here's the chatbot with all of the restrictions that I created for it saying you can't do this you can't do this you can't do this you can't do this all you can do is send a text or a message to slack and then here what I have is I have just a bunch of code and uh this the My Demo script there just allows me to reset this thing and do it over and over again without screwing myself up it's set right now to run and because this is terraform then all I'm going to do is I'm going to tell it terraform apply I have a bunch of terraform files in

here that I was just showing you and terraform is going to go through and it's going to figure out all the different a a AWS API calls that it needs to make in order to create all of the resources and configure them in the way that I have specified in my code and it's going to do that analysis and it's going to come back and ask me are you sure you want to do this so it's telling me that it's going to add 19 resources it's not going to change any and it's not going to destroy any I can also go back through here scroll through this and see exactly what changes it's going to make and all the way at the top

you see those green pluses it has a legend all the way at the top to tell you exactly what the symbols mean because they're not always green pluses but you can see green pluses create and then we've got read for data resources stuff like that so you can actually examine every single one of these resources that it's going to create before you give it the go-ahead and tell it yes you can do a plan ahead of time instead of an apply and that will give you this without asking you to create it and this is what it's doing it's going through right now it's making API calls to a AWS as we're looking at it creating things

um this cloud trail bucket life cycle thing takes 32 to 42 seconds to do I'm not sure why this one takes so long it's a an interesting thing because it's just a feature of S3 buckets and it takes the longest out of all of the S3 bucket creation steps it's interesting we'll hit 30 seconds of lapse and then it will end shortly after that it might hit 40 oh there we are 32 seconds and here we are 19 resources added zero changed zero destroyed okay so what I need to do then is I need to bring up my browser that has the stuff in it oh it's in this one forgot no why did you log me out I don't

want to yes here we are I created a uh a slack workspace just for this demo it has one channel in it the bsides demo Channel there's nothing in there right now and here we have the AWS Management console so I'm going to sign in first I'm going to sign in as a user an I am user that has a um that has uh permissions to doesn't matter what I put in here uh that has permissions to log in and see things this is an admin user but not a root

user and of course we need multiactor

okay so I'm logged in now the thing that we're looking for here is no message in the slack Channel but while we're while we're doing that it takes about 15 seconds or so once the event occurs before it gets through the whole system and comes out it's not the best amount but I mean for the price that I'm paying 15 seconds is all right but I can go in here now and I can take a look at all of these different aspects and I can see oh look I do have a topic I have an SNS topic called group console logins and if I look at S3 I can see the bucket that was created there the bsides Las Vegas

2023 demo cloud trail bucket I can look at event bridge and I can see the rule that I created down here root console login and the details of that rule just as I just as I configured it in terraform I'll sign out we have no messages in this channel but now I will sign in as the root user

and there I'm signed in as root user I don't need to do anything I don't need to interact with anything I'm going just going to sign out right away like I said it takes about 15 seconds but we'll sit over here and uh we can let's see 2 3 4 5 six there it is and there it is we know the user agent that was used to log in we know that it was successful we know that the the exact account and identity that was logged in we've got a a a link to the cloud trail event itself that could use to that we could use for more further investigation we've got an advent ID now

if we've got a couple other a Services turned on such as uh cloud trail insights we can you know form some queries we can do some more investigation but that's beyond the scope of this particular talk and this demo uh I just wanted to be able to show you whether you use terraform whether you use cloud formation whether you go in there and you hand jam it yourself although I wouldn't recommend that people make too many mistakes what however you do it you don't have to go out and buy the big Sim right away if you're doing proper threat modeling and you know what your biggest risks are you can mitigate those risks with a couple of simple rules at 75% off

the the list price essentially and then you can have your security team handling it doing it whatever it is that they need to do and um let's see nope nope ah here we

are these are all the resources that I used to come up with this the documentation on the pricing for all those different Services um I did some quick rough math using Google searches on average Sim costs as well as some analysis I did at jupyter 1 itself because you know we're trying to get the most bang for our buck and all of this is available on my uh GitHub repository that you can get from that QR code right there including the presentation and the templates that I made that I showed you about the terraform code your mileage may vary depending on how well you can read terraform so any questions I I left in like 15 minutes worth of questions we've

got 13 left um anybody want to talk about something

yeah um I really appreciate your uh your talk today can you tell us about any major limitations that uh this particular model that we should be aware of anything that we're going to have difficulties with probably the biggest limit ation that you're going to find with this sort of model is managing the list of rules if you kind of go Hog Wild with it uh this is really meant for for like if you've done a very good I keep coming back to this but if you've done a very good threat analysis of your environment and you you understand the threats very well you can Target certain things that you need to know about right away and you you you don't have a huge

budget once you start getting above I'd say maybe a dozen or two dozen rules you should probably invest in something a little bit more full featured and maybe tune that down to where you need it to be instead of tuning this this up because the management and the administrative overhead is going to get you yeah anything else yep I like your vest by the way uh kind of got two questions so first you're saying like if you're uh if the number of events or the number of things that you're looking for would increase p and kind of get wild how easy do you think it would be to be able to tear out the like cloud trail and a rent

Bridge section and plug in a larger if your company grew to a size where you started to care about that kind of thing I don't think it would be that hard because I'm actually looking at that right now so I've done some I've done some research on that like how could I tear out this minimalist micro SIM and install an actual official like a big boy Sim or something like that um it doesn't look like it's going to be that hard because a lot of the Sim vendors if you're talking about Cloud native uh services or uh vendors they want to get fed those events directly and they what they'll do is they'll read it from your

S3 bucket so getting those events to them is going to be a fairly simple thing you're just going to have to deal with whatever their pricing model happens to be and then you're also going to have to look through all of their detections to find out which one fits the use case that you have because obviously your name for your rule is not going to be their name for their detection and the detection name for vendor a is not going to be the detection name for vendor B so you're going to have to spend a little bit of administrative overhead to do that mapping of what you're currently monitoring that you can't lose to what

they have in place and then you're going to have to start filtering out all the noise of the stuff that isn't relevant to you because you designed your architecture using the D Triad you're using Cloud native resources and you don't need to worry about all of the Legacy problems that a lot of other companies are trying to track down and then one more if you don't mind yeah uh which would be so on the Lambda side of things of being able to kind of enact remediation steps if you already have them how often would you see people plug in even more complex code like uh python or C++ code that would do like Advanced remediation techniques versus

just continuing hand jamming problems over time I'm not uh I'm not I don't know how familiar you are with with lambdas in general so uh please please take this as I'm not trying to be insulting or anything but lambdas can be written in Python n C++ you can write your Lambda in pretty much any language that you want to so it can be as complex or as simple as you want it to be uh you could write apis that just interface with uh AWS services or you could have code that goes out to the larger internet and does things like it does a show Dan search and ingests the results and then does something with that and

goes out and talks to virus total and comes back and does something else with that it can be as simple or as complex as you want it to be that's one of the things that's great about using this sort of thing is that you don't have to worry about buying a sore in addition to a SIM for anybody who's not familiar with a sore it's basically an automation platform that people generally plug in with a Sim to do this sort of thing but you can do it all in Lambda if you want to and the great thing about the Lambda is that if since it's all contained within the AWS ecosystem you can use your same cicd pipeline to verify it to

do the code scanning on it to do the peer reviews on it to make sure that everything is as immutable in production as possible as opposed to relying on SC scans from some third party vendor and making sure that everybody is sinking properly across multiple different vendors trying to do the same sort of thing but you can make it as complex or as simple as you want and where the limit is for what is too too complex for you is determined by your own organization how many resources you have how much how many um FS you have to give about it anybody else yeah have I ever used this in a multiac account scenario and and if so how would

you would you deploy the same terraform into each individual account and have them all report back to the same slack room separate slack rooms or would you aggregate them at the SNS level or my production environment is a multi- AWS account environment so I I can actually speak to this and I will tell you that there is a gotcha associated with this in that the AWS signin service only operates in us- east-1 only operates there so anytime you sign in to AWS it's going through Us East one they have hot fail over to another region in case that whole region goes down uh so you shouldn't have to worry about it too much but what that

means is that you have to set up um every event Bridge installation or instantiation has a default event bus and that's where cloud trail pushes its events to the default event bus but when you need to cross regions what you have to do is you have to set up a non-default bus you have to customize your own bus and you have to give it permissions you have to give cloud trail and S3 and whoever else permissions to push events to that non-default bus and then your rule in the same region as that bus can fire on it so it depends on whether or not you want it to be completely distributed or if you want to

have some form of consolidation there are a couple of gotas in there with that with respect to the services and the way the AWS implements them but it's actually not too difficult once you understand that this service is limited to this one region and then you have to configure the the regions to talk to each other once you've done that then it's easy and basically the code that I deploy to all of my accounts no matter what region that they're in or or anything like that is basically the same I just tell them all go to this same event bus in Us East one because I configured that event bus to be pushed to from any region from any service

basically with restrictions I'm not crazy um and that and that way the the event Bridge rules that I set up in that region will always fire on the com the whole of all the data that I need to be monitored one thing that I didn't mention earlier is that this sort of thing is great for compliance um just in case you're you're a GRC type minded person if you want to be able to prove unequivocably to an audit that you are actually monitoring for root user logins a lot of people will will try and just generate a root user login event that their Sim will catch and then they can show the event and stuff like that but

here not only can you generate the event but you can actually show them the code and say listen this is exactly how it works from beginning to end there's no blackbox magic with the SIM this is exactly it and anything that your auditor says well I'm not so sure that this evidence supports proving this sort of thing you can do the exact same thing and you can put it in within an hour any more questions any further questions we've got another five minutes awesome thank you great thank you again