Welcome to Threat Stack! This page will help you get up and running with your Free Trial of our Audit package.
This document walks you through two setup steps:
- Creating an Account: Creating a Threat Stack account
- Setting Up Auditing: Granting Threat Stack permissions to view your configurations and CloudTrail events
If you have already created your account and logged into Threat Stack, you may skip to the "Setting Up Auditing" section below.
Creating an Account
If you filled out the free trial request form, you should have received an email with the subject line "[Action Required] - Threat Stack Invitation (Expires in 24 hrs)."
- If you need to request an email invitation, you may do so here: https://get.threatstack.com/audit-trial-request
- If you have requested an email invitation but did not receive your email, please contact firstname.lastname@example.org.
1. Open the email and click the big, blue "Accept Invitation" button.
2. The link should open up a page where you may create a Threat Stack user account. Enter your Email Address (must match the email from the invite), First Name, Last Name, and choose a Password. Click "Create Account."
3. Welcome to Threat Stack! You should now be logged into your Threat Stack account and see our "Getting Started" Page.
Setting Up Auditing
To Audit your environment, Threat Stack needs an IAM role which has permissions to perform certain read-only operations in your account. The easiest way to do this is to use our CloudFormation template. If you wish to perform setup manually, you may follow the Manual Setup instructions here.
Pre-requisite: Before you begin setup, ensure that you have administrator access to the AWS account you wish to audit.
1. Login to AWS and navigate to CloudFormation. Or click the button below:
1.1. You should now find yourself in the CloudFormation wizard, with the location of the Threat Stack template pre-populated in the "Specify an Amazon S3 template URL" field. Click "next."
1.2 The next step of the wizard requires you to enter three pieces of data. The first two, Account ID, and External ID, must be retrieved from the Threat Stack application. Step 2 will walk you through this.
2. Obtain an Account ID and External ID from Threat Stack.
2.1 Login to Threat Stack and navigate to Settings>Integrations.
2.2 In the section labeled "AWS Profiles" click "Add Profile."
2.3 Copy the Account ID and External ID and paste into the CloudFormation wizard.
Do not close the "Add AWS Profile" window in the Threat Stack application. The External ID is uniquely generated for each profile and must match what you enter into AWS.
3. Once you have filled in the Account ID and External ID, the last thing you need to do is choose the name of the S3 bucket where CloudTrail events will get stored.
- Remember that S3 bucket names must be globally unique, between 3 and 63 characters long, and can contain only lower-case characters, numbers, periods, and dashes.
3.1.1 Once all three fields are populated, hit the "Next" button.
4. You do not need to change any settings on the 'Options' screen. Simply hit "Next."
5. On the "Review" screen, you may review the values you entered on previous steps. At the bottom of the page you must check the box that says "I acknowledge that AWS CloudFormation might create IAM resources." Then hit "Create."
6. You will now be dropped on the main CloudFormation page. You may need to refresh the page to see your new Stack appear in the table. If you select your new Stack, you will see a log of the events being generated as it gets created.
7. Once the Stack status is CREAT_COMPLETE, you can click on the "Outputs" tab to access the Role ARN, SQS Queue Name and bucket name that were created.
8. The last step is to tell Threat Stack about the resources that were created and select the regions you want it to look at.
8.1 Return to "Add AWS Profile" window you opened in step 2. (If you closed the window, you are going to have to perform an extra step to insert a new external ID into the policy of the cross-account Role).
8.2 Fill in each field according to the graphic below. Hit "Add Profile."
9. Wait for the clock icon to turn to a green checkmark. This means that Threat Stack has been successfully able to authenticate with AWS using the IAM Role you created.
10. When you see the green checkmark, you are ready to perform your first Audit! In the left-hand navigation bar, click "Config Audit" and then in the upper, right-hand corner, click "Run."