AWS Manual Integration Setup

An AWS CloudTrail integration works best with a designated S3 Bucket with a unique Simple Notification Service (SNS) Topic name.

1. Log into the AWS Management Console as an administrator.
2. In the Search bar, search for CloudTrail and open the CloudTrail dashboard.
3. In the left navigation pane, click Trails. The Trails page displays.
4. Click the Create trail button.
   
   
   The Choose trail attributes page displays.
   
5. In the Trail name field, type a name for the trail. This is the name of your CloudTrail configuration for Distributed Cloud AIP.
6. In the Storage location section, confirm that the Create a new S3 bucket radio button is selected.
7. In the Trail log bucket and folder field, type a name for the S3 bucket. Distributed Cloud AIP recommends you match at least part of the S3 bucket name to the Trail name, so the two are easy to correlate in the future.
8. Under Log file SSE-KMS encryption, uncheck the Enabled box.
9. Expand the Additional settings section.
10. Confirm that Log file validation is enabled, SNS notification delivery is enabled, and the New radio button under Create a new SNS topic is selected.
11. In the SNS topic field, type an SNS topic name. Distributed Cloud AIP recommends you match at least part of the SNS topic name to the Trail name, so the two are easy to correlate in the future.
12. Click the Next button. The Choose log events page displays.
13. Select the Next button. The Review and create page displays.
14. After you review, click the Create trail button. AWS now contains a Distributed Cloud AIP-specific CloudTrail S3 bucket and an SNS topic.

The CloudTrail Simple Queue Service (SQS) Queue must subscribe to the CloudTrail SNS Topic to receive CloudTrail logs.

1. In the AWS console Search bar, search for SQS and open the Queues page.
2. Click the Create queue button.
   
   
   The Create queue page displays.
   
3. In the Details section, under Type, select Standard.
4. In the Name field, type a name for the standard queue. Distributed Cloud AIP recommends you match at least part of the SQS Queue name to the CloudTrail S3 bucket name, so the two are easy to correlate in the future.
5. In the Configuration section, you can leave the default settings as they are, or revise them to your organization's preferences.
6. Expand the Encryption section.
7. Under Server-side encryption, select the Disabled radio button.
8. Click the Create queue button. The SQS Queue page displays.
9. In the SNS Subscriptions section, click the Subscribe to Amazon SNS topic button. The Subscribe to Amazon SNS topic page displays.
   
10. Select the SNS topic you created in the previous section from the dropdown menu.
11. Click the Save button. The SQS queue now subscribes to all messages that are part of the SNS topic.
    

The Distributed Cloud AIP AWS profile includes a unique account ID and external ID. These IDs link the Distributed Cloud AIP AWS profile to the AWS configuration.

1. Log into Distributed Cloud AIP.
2. In the left navigation pane, click Settings. The Settings page displays.

3. Click the Integrations tab. The Integrations page displays.
   
   

4. In the AWS Integrations section, click the + Add Integration button. The Add AWS Integration dialog opens.

   Warning

   Do not close this dialog until the AWS integration is complete. The External ID uniquely generates each time you add an AWS profile and must match the value entered during the AWS integration. If you click the close button, then a confirmation message displays in which you must acknowledge the close.

   

The Distributed Cloud AIP AWS profile authenticates in AWS using the Identity and Access Management (IAM) role you create in this procedure.

1. In the AWS console, search for IAM in the Search bar and open the IAM page.
2. In the left navigation pane, click Roles. The Roles page displays.
   
3. Click the Create role button. The Create role page displays.
   
4. In the Trusted entity type section, select AWS account.
5. In the An AWS account section, select the Another AWS account radio button.
6. In the Account ID field, copy and paste the Account ID from the Distributed Cloud AIP Add AWS Integration dialog.
7. Under Options, select the Require external ID checkbox.
8. In the External ID field, copy and paste the External ID from the Distributed Cloud AIP Add AWS Integration dialog.
9. Click the Next button. The Add permissions page displays.
10. Click the Next button. The Name, review, and create page displays.
    
11. In the Role name field, type a role name. This is the name of the IAM role the Distributed Cloud AIP AWS Account will use to authenticate in AWS.
12. Optionally, enter a description in the Description field.
13. Do not enter or change any information in the Add permissions section.
14. Click the Create role button. The new IAM role creates. The Roles page displays.
15. Select the role you created from the role list. The role's Summary page opens.
    

The AWS IAM role requires specific permissions to access data for the Distributed Cloud AIP AWS integration.

1. In the AWS Console, on the IAM Roles main page, select the IAM role you created in the Create AWS IAM Role section.
2. On the Permissions tab, click the + Add inline policy link. The Create policy page displays.

   
   

3. Select the JSON tab.
   
4. Copy and paste the following information into the JSON text box:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Action": [
                   "sqs:GetQueueAttributes",
                   "sqs:GetQueueUrl",
                   "sqs:DeleteMessage",
                   "sqs:ListQueues",
                   "sqs:ReceiveMessage"
               ],
               "Effect": "Allow",
               "Resource": [
                   "arn-of-SQS-queue-here"
               ]
           },
           {
               "Action": [
                   "s3:Get*",
                   "s3:List*"
               ],
               "Resource": [
                   "arn:aws:s3:::bucketname/*"
               ],
               "Effect": "Allow"
           },
           {
               "Action": [
                   "ec2:Describe*"
               ],
               "Effect": "Allow",
               "Resource": [
                   "*"
               ]
           }
       ]
   }

5. In the “arn-of-SQS-queue-here” line, replace the text with the SQS Queue ARN.
6. In the “arn:aws:s3:::bucketname/*” line, replace the text with the S3 bucket name.

   Warning

   Do not remove the /* from the text. This is used as a wildcard.

7. Click the Review policy button. The Review policy page displays.

   

8. In the Name field, type a name for the first policy. Distributed Cloud AIP recommends using the same naming convention used throughout this process.
9. Click the Create Policy button. The policy applies to the AWS IAM role. The Summary page displays.

Completing the Distributed Cloud AIP AWS Profile allows Distributed Cloud AIP to authenticate in AWS using the IAM role.

1. Go to the Distributed Cloud AIP + Add AWS Integration dialog from which you copied the account ID and external ID.

   
   

2. In the Role ARN field, copy and paste the Role ARN value from the CloudFormation Outputs section.
3. Optionally, in the Description field, type a description of the Distributed Cloud AIP AWS role.
4. In the EC2 Correlation section, from the Regions drop-down menu, select the region(s) in which your organization has an EC2 presence. Click the Select All Regions button to add all regions.
5. Select the CloudTrail Integration check box. The CloudTrail fields become available.
6. In the SQS Name (Source) field, enter the SQS ARN name (not the full ARN).
7. In the S3 Bucket field, enter the S3 Bucket value.
8. From the Select Regions drop-down menu, select the region(s) where resources were deployed for integration. By default, the region is US East (N. Virginia).

   Warning

   Selecting incorrect regions causes the authentication of Distributed Cloud AIP in AWS using the IAM role for Cloud Trail to fail. Double-check your region selection.

9. Click the Add AWS Integration button. The + Add AWS Integration dialog closes. The Integrations page displays. The new AWS profile displays in the AWS Integrations table. A clock icon displays in the EC2 Correlation Status column, indicating the profile is authenticating with AWS. This process may take several minutes.

   
   

Go to the Distributed Cloud AIP Settings tab > Integrations tab > AWS Integrations table. In the row for the AWS profile, the EC2 Correlation Status column displays a green checkmark to confirm that Distributed Cloud AIP successfully authenticated in AWS using the IAM role created for AWS.