Deployment Guide

This guide covers CloudFormation parameters, deployment options, verification, updates, and teardown.

CloudFormation Parameters

The Deckard stack (deckard-stack.yaml) accepts the following parameters:

Parameter Type Required Default Description
InstanceId String Yes Deckard instance ID (provided at signup)
TyrellEndpoint String Yes Base URL for Tangate rules API (e.g., https://api.tangate.com)
TyrellApiKey String Yes Instance API key issued at signup (NoEcho)
AiProvider String Yes anthropic AI provider: anthropic, openai, or deepseek
AiApiKey String Yes Your API key for the selected AI provider (NoEcho)
AiModel String No "" Model override (optional — defaults to provider's recommended model)
CloudFrontLogBucket String Yes S3 bucket where CloudFront writes access logs
CloudFrontDistributionId String Yes CloudFront distribution ID to protect
ElevatedProtection String No false Enable elevated threat intelligence rules (true/false)
SamplingRate String No 1.0 AI analysis sampling rate, 0.0–1.0 (can be changed at runtime via dashboard)

All sensitive parameters (TyrellApiKey, AiApiKey) are stored in AWS Secrets Manager. They are never passed as plaintext environment variables. Dashboard access uses a scoped IAM user with access keys created by CloudFormation.

Using deploy.sh

The deployment script packages all three Lambda functions and deploys the CloudFormation stack.

cd deckard/cloudformation
./deploy.sh

The script:

  1. Creates a temporary build directory
  2. Packages the analysis Lambda (lambda/analysis/handler.py) — uses only stdlib + boto3, no extra dependencies
  3. Packages the edge Lambda (lambda/edge/index.js)
  4. Uploads Lambda packages to S3
  5. Deploys the CloudFormation stack with all parameters from environment variables
  6. Uploads the dashboard HTML to your output bucket

Required Environment Variables

export STACK_NAME="deckard"
export TYRELL_ENDPOINT="https://api.tangate.com"
export TYRELL_API_KEY="<your-api-key>"
export INSTANCE_ID="<your-instance-id>"
export AI_PROVIDER="anthropic"
export AI_API_KEY="<your-ai-api-key>"
export CLOUDFRONT_LOG_BUCKET="<your-log-bucket>"
export CLOUDFRONT_DISTRIBUTION_ID="<your-distribution-id>"

Optional Environment Variables

export AI_MODEL=""                    # Override default AI model
export ELEVATED_PROTECTION="false"    # Enable elevated rules
export SAMPLING_RATE="1.0"            # AI sampling rate (0.0–1.0)

Stack Outputs

After deployment, the stack provides these outputs:

Output Description
EdgeFunctionVersionArn Versioned ARN for the Lambda@Edge function (attach to CloudFront)
OutputBucketName Your Deckard output S3 bucket
DashboardAccessKeyId IAM access key ID for the dashboard
DashboardSecretAccessKey IAM secret access key for the dashboard
DashboardDownloadUrl URL to download the dashboard HTML file
DashboardSetup Quick-start instructions for accessing the dashboard

Retrieve outputs with:

aws cloudformation describe-stacks \
  --stack-name deckard \
  --query 'Stacks[0].Outputs' \
  --output table

Attaching Lambda@Edge

After the stack deploys, you must manually attach the edge function to your CloudFront distribution:

  1. Copy the EdgeFunctionVersionArn from the stack outputs
  2. Open the CloudFront console → select your distribution
  3. Go to the Behaviors tab → edit the behavior you want to protect
  4. Under Function associations, add:
    • Event type: Viewer request
    • Function ARN/Name: paste the EdgeFunctionVersionArn
  5. Save changes and wait for the distribution to deploy

The Lambda@Edge function runs on every viewer request. It reads the blocklist from S3 (cached for 5 minutes) and returns 403 for blocked requests.

Verifying Deployment

Check CloudWatch Logs

The analysis Lambda logs to CloudWatch under the log group /aws/lambda/deckard-analysis-{instance-id}. After the first hourly run, you should see log entries showing:

  • Rules fetched from Tangate
  • Log files processed
  • AI analysis results (if applicable)
  • Blocklist updated

Check S3 Outputs

After the first analysis run, verify these files exist in your log bucket:

s3://{bucket}/deckard/blocklist.json         # Current blocklist
s3://{bucket}/deckard/.last-run              # Last run timestamp
s3://{bucket}/deckard/decisions/{date}/      # Decision logs
s3://{bucket}/deckard/siem/{date}/           # SIEM output
s3://{bucket}/deckard/local-rules.json       # Local rules (starter template)
s3://{bucket}/deckard/config.json            # Runtime config

Check the Dashboard

Download the dashboard HTML from the DashboardDownloadUrl in your stack outputs. Open it in your browser and log in with the DashboardAccessKeyId, DashboardSecretAccessKey, your bucket name, and region. The Overview page should show your instance ID, blocklist stats, and last run time.

Updating an Existing Stack

To update parameters on an existing deployment, re-run the deploy script with updated environment variables:

export AI_PROVIDER="openai"
export AI_API_KEY="<new-openai-key>"
cd deckard/cloudformation
./deploy.sh

CloudFormation performs an in-place update. The analysis Lambda picks up new Secrets Manager values on the next run. Lambda@Edge updates require a new version deployment and CloudFront distribution update.

To change the sampling rate without redeploying, use the dashboard Settings page — it writes directly to deckard/config.json in S3, and the analysis Lambda reads it at runtime.

Teardown / Uninstall

To remove Tangate from your account:

1. Remove Lambda@Edge from CloudFront

  1. Open CloudFront console → select your distribution
  2. Edit the behavior → remove the Lambda@Edge function association
  3. Save and wait for the distribution to deploy

Important: You must remove the Lambda@Edge association before deleting the stack. CloudFront replicas take time to clean up, and the stack deletion will fail if the edge function is still associated.

2. Delete the CloudFormation Stack

aws cloudformation delete-stack --stack-name deckard

3. Clean Up S3 Artifacts

The stack does not delete your log bucket or the deckard/ prefix within it. To remove Tangate artifacts:

aws s3 rm s3://{your-log-bucket}/deckard/ --recursive

This removes blocklists, decision logs, SIEM output, local rules, config, and analysis cache files. Your CloudFront access logs are not affected.

Next Steps