Integrating Threat Stack Auditing with AWS


To Audit your environment, Threat Stack needs an IAM role which has permissions to perform certain read-only operations in your account. The easiest way to do this is to use our CloudFormation template. If you wish to perform setup manually, you may follow the Manual Setup instructions here.

Pre-requisite: Before you begin setup, ensure that you have administrator access to the AWS account you wish to audit.

1. Login to AWS and navigate to CloudFormation. Or click the button below:


   1.1. You should now find yourself in the CloudFormation wizard, with the location of the Threat Stack template pre-populated in the "Specify an Amazon S3 template URL" field. Click "next."


  1.2  The next step of the wizard requires you to enter three pieces of data. The first two, Account ID, and External ID, must be retrieved from the Threat Stack application. Step 2 will walk you through this.


2. Obtain an Account ID and External ID from Threat Stack.

  2.1 Login to Threat Stack and navigate to Settings>Integrations.

  2.2 In the section labeled "AWS Profiles" click "Add Profile."

  2.3 Copy the Account ID and External ID and paste into the CloudFormation wizard.

  Do not close the "Add AWS Profile" window in the Threat Stack application. The External ID is uniquely   generated for each profile and must match what you enter into AWS.



3. Once you have filled in the Account ID and External ID, the last thing you need to do is choose the name of the S3 bucket where CloudTrail events will get stored.

  • Remember that S3 bucket names must be globally unique, between 3 and 63 characters long, and can contain only lower-case characters, numbers, periods, and dashes.

  3.1.1 Once all three fields are populated, hit the "Next" button. 


4. You do not need to change any settings on the 'Options' screen. Simply hit "Next."


5. On the "Review" screen, you may review the values you entered on previous steps. At the bottom of the page you must check the box that says "I acknowledge that AWS CloudFormation might create IAM resources." Then hit "Create." 


6. You will now be dropped on the main CloudFormation page. You may need to refresh the page to see your new Stack appear in the table. If you select your new Stack, you will see a log of the events being generated as it gets created.


 7. Once the Stack status is CREAT_COMPLETE, you can click on the "Outputs" tab to access the Role ARN, SQS Queue Name and bucket name that were created.


8. The last step is to tell Threat Stack about the resources that were created and select the regions you want it to look at.

  8.1 Return to "Add AWS Profile" window you opened in step 2. (If you closed the window, you are going to have to perform an extra step to insert a new external ID into the policy of the cross-account Role).

  8.2 Fill in each field according to the graphic below. Hit "Add Profile."


9. Wait for the clock icon to turn to a green checkmark. This means that Threat Stack has been successfully able to authenticate with AWS using the IAM Role you created.


10. When you see the green checkmark, you are ready to perform your first Audit! In the left-hand navigation bar, click "Config Audit" and then in the upper, right-hand corner, click "Run."


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.