Integrate Threat Stack Audit with AWS


Welcome to Threat Stack!

This page will show you how to setup AWS Integrations within your Threat Stack Trial.

You must have administrator access to your Amazon Web Services (AWS) account to do this setup.

This workflow assumes that you already have your Threat Stack account setup.

Set up using CloudFormation

To audit your environment, Threat Stack needs an IAM role with permissions to perform certain read-only operations on your account. We recommend using our CloudFormation template, preview the CloudFormation template. Alternatively, you can use the manual setup instructions.

1) To begin, click the Launch Stack button in this document and login to Amazon Web Services console. After logging in, the Create Stack Wizard displays the Select Template page.


2) On the Select Template page, confirm that Threat Stack CloudFormation template displays in the Specify an Amazon S3 template URL field.


3) Click the Next button to display the Specify Details page.

4) The Parameters section requires three pieces of data:

  • Account ID
  • External ID
  • S3 Bucket Name



Obtain your Threat Stack Account ID and External ID

You can find your Account ID and the External ID within the Threat Stack application.

1) Login to Threat Stack and navigate to the Settings page.

2) Open the Integrations tab and navigate to the AWS Profiles section.

3) Click the Add Profile button to open the Add AWS Profile window.

4) Copy the Account ID and the External ID values and paste them into their fields on the Specify Details page.


Do not close the Add AWS Profile window! The External ID uniquely generates for each profile and it must match what you enter in AWS.



5) On the AWS Specify Details page, add a name for the S3 Bucket.


The S3 Bucket is where CloudTrail events get stored.

S3 bucket names must be globally unique, between 3 and 63 characters, and can only contain lower-case characters, numbers, periods, and dashes.


6) Click the Next button to submit the form and display the Options page.


7) Click Next to proceed, you don’t need to enter any information on the Options page.

8) Review the values that you entered on the previous pages.


9) Check the box stating “I acknowledge that AWS CloudFormation might create IAM resources”.


10) Click the Create button to create the IAM role and display the CloudFormation page.

Now that you have created a IAM Role, you can take Output information and finish creating an AWS Profile.


Before you navigate back to the Threat Stack Add AWS Profile window you opened earlier, you need to copy the following information:.

  1. Role ARN
  2. SQS Queue
  3. S3 bucket name

You can find the information within the stack you create on the Outputs tab.


Add AWS Profile to Threat Stack

Navigate back to the Add AWS Profile window you opened during the Create an IAM Role workflow.


1) Paste the Role ARN name into the Role ARN field.

2) Paste the AWS Account name into the Description field.


3) In the EC2 Agent Correlation section select your region(s) from the Select Regions dropdown menu.

4) Check the CloudTrail Integration box.

5) In the CloudTrail section enter the SQS Source and the S3 Bucket

6) Select your the region of the newly created SQS queue from the dropdown menu.


If you launched the CloudFormation template by directly clicking the button above, the region may be set to US-East-1 by default. Double check this region carefully.


7) Check the Configuration Auditing box. Now select your Configuration Auditing region(s) from the dropdown menu.


8) Review the information that you entered is correct then click the Add Profile button.


The Integrations tab displays. You should see:

  • A “Profile Added Successfully” confirmation message.
  • A table in the AWS Profiles section with your new AWS Profile information

Confirm Integration

The green checkmark in the Status column means that Threat Stack successfully authenticated AWS using the IAM Role. If you don't see the green checkmark, try navigating out of the Integrations tab and then back again.


Now that you added an IAM role, you can perform your first Audit.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Article is closed for comments.