AWS Manual Integration Setup

Follow

 

Welcome to Threat Stack!

This page will show you how to setup AWS Integrations within your Threat Stack Trial.

You must have administrator access to your Amazon Web Services (AWS) account to do this setup.

Note

We recommend using the CloudFormation method of integrating Threat Stack Auditing with AWS.

This workflow assumes that you already have your Threat Stack account setup.

Manual Setup Overview

Manually integrating Threat Stack Auditing with AWS includes the following processes:

  • Create a CloudTrail with an S3 Bucket and an SNS Topic
  • Create an SQS Queue and attach the new SNS Topic
  • Create a specific IAM Role
  • Create two custom policies to attach to the IAM Role
  • Integrate with Threat Stack
Create CloudTrail with S3 Bucket & SNS Topic

Create a Threat Stack specific CloudTrail Trail and S3 Bucket

1) Login to the AWS Console and navigate to CloudTrail, Trail section.

2) Click the Create trail button to display the Create Trail page.

3) Enter a Trail name and confirm that the Apply to all regions option is set to yes.

4) Confirm that the Read/Write events option is set to all.

1_trails_page.png

5) Confirm that the Create a new S3 bucket is set to yes and enter a S3 bucket name.

2_s3_bucket.png

Warning

Stop! Do not click the Create button yet.

Create a new SNS Topic for this Trial

Before you finish creating a new CloudTrail and S3 bucket, you need to create a new SNS Topic for this Trail.

A) Click the Advanced link to display the Advanced options for logs and delivery.

B) Set the Send SNS notifcation for every log file delivery option to yes.

C) Set the Create a new SNS topic option to yes.

D) Enter a SNS topic name.

3_sns.png

6) Click the Create button to create your CloudTrail with S3 bucket and SNS Topic.

4_create_trail.png

Congratulations, you have created your Threat Stack specific CloudTrail, S3 Bucket, and SNS Topic. The next workflow will show you how to create a Threat Stack specific SQS Queue and attach it to the SNS Topic.

Create SQS Queue & attach SNS Topic

Create a Threat Stack specific SQS Queue

1) Navigate to SQS Create New Queue (SQS is grouped with Application Services).

1_name.png

2) Give the SQS Queue a name, click the Quick-Create Queue button.

2_create.png

3) The new SQS Queue displays, copy and save the ARN.

3_arn.png

Info

You will use the ARN information later when you build the IAM Policy.

4) With your queue still selected, click the Queue Actions button to display options.

5) Select the Subscribe Queue to SNS Topic option.

4_subscribe_queue.png

6) On the Subscribe to a Topic popup, select your topic from the Choose a Topic menu.

7) Click the Subscribe button.

5_topic_subscribe.png

Next you are going to an IAM role and set the permissions.

Create IAM Role

Create an IAM Role specifically for Threat Stack

1) Navigate to IAM Roles section, click the Create role button.

1_IAM_Role.png

2) Select the Another AWS Account option to display the Specify accounts that can use this role form.

3) Next to Options check the box to Require external ID.

2_create_role.png

4) Login to Threat Stack to copy the Account and External IDs.

Obtain your Account & External IDs

Login to Threat Stack and navigate to the Integrations tab on the Settings page.

1) In the AWS Profiles section, click the + Add Profile button.

2) On the + Add AWS Profile window, copy the Account ID and the External ID.

A_threat_stack.png

Important

Do not close the Add AWS Profile Window. Threat Stack uniquely generates the External ID for each profile and it must match what you enter into the AWS console.

5) Paste the Threat Stack Account ID and External ID in their respective fields.

6) Click the Next: Permissions button to display the Permissions page options.

3_enter_ids.png

7) Do not attach any policies, you will create and attach custom ones later, click the Next: Review to continue.

8) Enter a Role name, to complete the creation process click the Create role button.

4_create_role.png

9) Locate the role you just created, you may need to search for it, and select it to display the Summary section.

10) Copy the Role ARN, you will use it to complete the Threat Stack Integration later.

5_copy_role_arn.png

The next section will show you how to create and implement these custom policies.

Create Custom Policies

Now you are going to create these two custom policies:

  • Policy #1 grants the read-only permissions required for Configuration Auditing and EC2 sync
  • Policy #2 grants permissions to pull messages off the SQS queue and read contents of the S3 bucket created for CloudTrail logs

On the IAM Roles main page, select the new role you created.

1) In the Permissions section, click the + Add inline policy link.

1_inline_policy.png

2) On the Set Permissions page, select Custom Policy option and click the Select button.

2_custom_policy.png

3) Give the first policy a name and paste the following information:


  		{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1473955400000",
            "Effect": "Allow",
            "Action": [
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:ListPublicKeys",
                "cloudtrail:ListTags",
                "ec2:Describe*",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeSSLPolicies",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "iam:GenerateCredentialReport",
                "iam:GetAccountPasswordPolicy",
                "iam:GetCredentialReport",
                "iam:GetAccountSummary",
                "iam:ListAttachedUserPolicies",
                "iam:ListUsers",
                "kms:GetKeyRotationStatus",
                "kms:ListKeys",
                "rds:DescribeAccountAttributes",
                "rds:DescribeCertificates",
                "rds:DescribeEngineDefaultClusterParameters",
                "rds:DescribeEngineDefaultParameters",
                "rds:DescribeDBClusterParameterGroups",
                "rds:DescribeDBClusterParameters",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBInstances",
                "rds:DescribeDBLogFiles",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSecurityGroups",
                "rds:DescribeDBSnapshotAttributes",
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeEventCategories",
                "rds:DescribeEvents",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeOptionGroups",
                "rds:DescribeOptionGroupOptions",
                "rds:DescribeOrderableDBInstanceOptions",
                "rds:DescribePendingMaintenanceActions",
                "rds:DescribeReservedDBInstances",
                "rds:DescribeReservedDBInstancesOfferings",
                "rds:ListTagsForResource",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "sns:GetEndpointAttributes",
                "sns:GetPlatformApplicationAttributes",
                "sns:GetSMSAttributes",
                "sns:GetSubscriptionAttributes",
                "sns:GetTopicAttributes",
                "sns:ListEndpointsByPlatformApplication",
                "sns:ListPlatformApplications",
                "sns:ListSubscriptions",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
  	

4) Click the Apply Policy button.

policy1.png

5) Follow the same steps to add Policy #2

Warning

You must modify policy 2 before saving it! You need to add the ARN of the SQS queue and the name of the S3 bucket to this policy.

6) Replace the following text in Policy #2 with the SQS Queue ARN and S3 Bucket name you copied earlier:

  • Resource: arn-of-SQS-queue-goes-here
  • Resource: arn:aws:s3:::bucketname/*

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:GetQueueAttributes",
                "sqs:GetQueueUrl",
                "sqs:DeleteMessage",
                "sqs:ListQueues",
                "sqs:ReceiveMessage"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn-of-SQS-queue-goes-here"
             ]
        },
        {
            "Action": [
                 "s3:Get*",
                 "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname/*"
            ],
            "Effect": "Allow"
         }
    ]
}

policy_2.png

Integrate with Threat Stack

Within the Threat Stack application, navigate back to the Add AWS Profile window.

Info

If you closed that window, login to Threat Stack, navigate to Add AWS Profile window in the Settings page. You will need to ensure the External ID in the Add AWS Profile window is added to the Trust Relationships for the Cross-Account Role you created in the AWS console.

1) Paste the Role ARN name into the Role ARN field.

2) Paste the AWS Account name into the Description field.

B_1_role_arn_.png

3) In the EC2 Agent Correlation section select your region(s) from the Select Regions dropdown menu.

4) Check the CloudTrail Integration box.

5) In the CloudTrail section enter the SQS Source and the S3 Bucket

6) Select your the region of the newly created SQS queue from the dropdown menu.

7) Check the Configuration Auditing box. Now select your Configuration Auditing region(s) from the dropdown menu.

B_7_region.png

8) Review the information that you entered is correct then click the Add Profile button.

B_8_add_profile.png

The Integrations tab displays. You should see:

  • A “Profile Added Successfully” confirmation message.
  • A table in the AWS Profiles section with your new AWS Profile information
Confirm Integration

The green checkmark in the Status column means that Threat Stack successfully authenticated AWS using the IAM Role. If you don't see the green checkmark, try navigating out of the Integrations tab and then back again.

Confirm_AWS_Status.png

Now that you added an IAM role, you can perform your first Audit.

Other Articles in this Series

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.