App Infrastructure Protection (AIP) users can automatically set up an Amazon Web Service (AWS) integration through the CloudFormation template. When this integration completes, AIP authenticates in AWS using a AIP AWS Account linked to an AWS IAM role. AIP can then increase visibility into EC2 instances, monitor and create alerts for CloudTrail events, and perform configuration audits for AWS.
- Administrator access to your AWS account
- Access to the AIP console
Use side-by-side browser windows – one for AWS and one for AIP – to complete these instructions.
The AIP AWS account includes a unique account ID and external ID. These IDs link the AIP AWS account to the AWS configuration.
You will complete the AIP AWS Account after completing the creation of the AWS IAM role.
- Log into AIP.
- In the left navigation pane, click Settings. The Settings page displays.
- Click Integrations. The Integrations page displays.
- In the AWS Integrations section, click the + Add AWS Integration button. The + Add AWS Integration dialog opens.
Do not close this dialog until the AWS integration is complete. The External ID is uniquely generated each time you add an AWS account and must match the value entered during the AWS integration. If you click the close button, then a confirmation message displays in which you must acknowledge the close.
Users use the AIP CloudFormation template to configure AWS resources for use by AIP. The AIP CloudFormation template creates the following:
- An SNS topic
- An SQS queue
- An S3 bucket
- CloudTrail integration
- Configuration Audit integration
- A third-party cross-account with an IAM role. The IAM role will be used to authenticate the AIP AWS account.
To configure AWS resources:
- Log into the AWS console as an administrator.
- In this document, click the Launch Stack button.
The AWS CloudFormation window opens and the Select Template page displays.
- On the top bar, from the region drop-down menu, select the appropriate region for deployment. By default, the selected region is N. Virginia.
- Verify the Specify an Amazon S3 template URL radio button is selected and the field contains the “https://threatstack-cloudformation.s3.amazonaws.com/threatstack.json” path.
If you do not select the region in which the resources are located, then the integration will not successfully complete.
- Click the Next button. The Specify Details page displays.
- In the Parameters section, fill in the following fields:
- What is your provided AIP Account ID? – Copy and paste the AIP account ID from the AIP + Add AWS Integration dialog.
- What is your provided AIP External ID – Type or copy and paste the AIP external ID from the AIP + Add AWS Integration dialog.
- What is your desired S3 bucket name? – Type a name for the AIP S3 bucket to monitor. The S3 bucket is where AIP stores AWS events. The name must meet the following criteria:
- Unique across all of AWS. For example, if you name the S3 bucket "MyCompanyName," then no one else using AWS can create a "MyCompanyName" S3 bucket.
- Between 3 and 63 characters long
- Contain only a combination of lowercase letters, numbers, periods, and dashes.
- Is not the 101st S3 bucket for the AWS account.
AWS accounts only support 100 S3 buckets. Contact AWS to increase the S3 bucket limit for the AWS account.
- Click the Next button. The Options page displays.
- Do not enter any information. Filling out these fields may interfere with the monitoring and alerting operations of AIP.
- Click the Next button. The Review page displays.
- Verify the information displayed.
- In the Capabilities section, read the notification message and select the I acknowledged that AWS CloudFormation might create IAM resources check box.
- Click the Create button. The IAM role creates. The CloudFormation page displays.
- Click the Refresh button until the Status reads CREATE_COMPLETE.
- Click the stack name, then expand Outputs. The Outputs section displays.
Do not close the CloudFormation window or the Outputs section. The displayed information is necessary for the next step in the AWS integration.
Completing the AIP AWS Account allows AIP to authenticate in AWS using the IAM role.
- Go to the AIP + Add AWS Integration dialog from which you copied the account ID and external ID.
- In the Role ARN field, copy and paste the Role ARN value from the CloudFormation Outputs section.
- In the Description field, type a description of the AIP AWS role. Type a description that identifies how the bucket relates to the AWS account, such as "production."
- In the EC2 Correlation section, from the Select Regions drop-down menu, select the region(s) in which your organization has an EC2 presence.
- Select the CloudTrail Integration check box. The CloudTrail fields become available.
- In the SQS Name (Source) field, copy and paste the SQS Queue value from the CloudFormation Outputs section.
- In the S3 Bucket field, copy and paste the S3 Bucket value from the CloudFormation Outputs section.
- From the Select Regions drop-down menu, select the region(s) in which you deployed the CloudFormation template (Configure AWS Resources, step 3).
Selecting incorrect regions causes the authentication of AIP in AWS using the IAM role for Cloud Trail to fail. Double-check your region selection.
- Select the Configuration Auditing check box. The Configuration Auditing field becomes available.
- From the Select Regions drop-down menu, select the region(s) in which your organization has resources.
- Verify the information entered and selected on the page is accurate.
- Click the Add AWS Integration button. The + Add AWS Integration dialog closes. The Integrations page displays. A “Account Added Successfully” message displays and the new AWS account displays in the AWS Integrations table. A clock icon displays in the EC2 Correlation Status column, indicating the account is authenticating with AWS. This process may take several minutes.
In the Settings > Integrations tab > AWS Integrations table, in the row for the AWS account, in the EC2 Correlation Status column, a green checkmark displays. That checkmark confirms that AIP successfully authenticated in AWS using the IAM role created for AWS.