FAQ: How do I integrate with AWS Control Tower?

This article describes the approach to integrate F5 Distributed Cloud App Infrastructure Protection (AIP) with businesses that leverage Amazon Web Services (AWS) Control Tower.

Note

The following integration instructions are based on the "out of the box" AWS Control Tower configuration (Log Archive Account/Audit Account).

Log Archive Account

This account functions as a repository for logs of API activities and resource configurations from all accounts in the landing zone.

Audit Account

The Audit Account is a restricted account that is designed to give your security and compliance teams read and write access to all accounts in your landing zone. From the Audit Account, you have programmatic access to review accounts by means of a role that is granted to Lambda functions only. The Audit Account does not allow you to manually log into other accounts.

Example Environment

Below is an example of an environment that would require this configuration, and the resulting infrastructure change required to be created/modified.

  Before After
Log Archive Account

AWS Resources

  • S3

AWS Resources

  • S3
  • IAM - CREATE
  • SQS - CREATE
Audit Account

AWSResources

  • CloudTrail
  • KMS (Optional)
  • SNS

AWSResources

  • CloudTrail
  • KMS (Optional)
  • SNS

 

Integration Summary

  1. Create a new SQS Queue in the Log Archive Account.
  2. In the Audit Account, navigate to CloudTrail and copy the ARN for the SNS Topic.
  3. In the Log Archive Account, edit the SQS Queue Access Policy to allow SQS to receive SNS notifications.
  4. Create a subscription from the SNS topic in the Audit Account to the SQS Queue in the Log Archive Account.
  5. In the Log Archive Account, navigate to the SQS Queue and enable Send/Receive Messages.
  6. In the Audit Account, confirm the subscription for the SNS Topic.
  7. In the Log Archive Account, validate the SQS Queue messages.

Please contact AIP Support (aipsupport@f5.com) with any questions or concerns.

Was this article helpful?
0 out of 0 found this helpful