AWS Integrations: Configuration Auditing, CloudTrail, and EC2 Sync


This article will walk you through the setup for all three of our AWS integrations: Configuration Auditing, CloudTrail and EC2 Sync.

There are three steps to this process:

  1. Create a Threat Stack-specific CloudTrail and associated S3 Bucket, SNS Topic and SQS Queue.
  2. Create a Threat Stack-specific IAM Role with two separate policies attached.
  3. Tell Threat Stack where to look for the relevant AWS resources.

Step 1: Create CloudTrail, S3 Bucket, SNS Topic, and SQS Queue

1.1 Create a Threat Stack-specific CloudTrail Trail and associated S3 Bucket.

    1.1.1 Login to the AWS Console and navigate to CloudTrail>Trails.

    1.1.2 Click on "Add New Trail."

    1.1.3 Give the new trail a name.

    1.1.4 Ensure "Apply trail to all regions" is set to "yes."

    1.1.5 Ensure "Create a new S3 bucket" is set to "yes."

    1.1.6 Give the S3 bucket a name. Save the bucket name somewhere you'll be able to find it later.                This will be used for the IAM policy created below in Step 2 - Policy 2 CloudTrail.

    1.1.7 Do not click "create."

1.2 Create a new SNS Topic for this Trail

    1.2.1 Click "Advanced" to send a notification when new log files are delivered via SNS.

    1.2.2 Set "Send SNS notification for every log file delivery" to "yes."

    1.2.3 Set "Create a new SNS topic" to "yes."

    1.2.4 Give the new SNS topic a name. Save the topic name somewhere you'll be able to find it later.

    1.2.5 Now click "Create."

1.3 Create a Threat Stack-specific SQS Queue 

    1.3.1 Navigate to SQS>Create New Queue (SQS is grouped with Application Services).

    1.3.2 Give the Queue a name and click "Create."

    1.3.3 You will be returned to the main SQS page. Find the Queue you just created and select it. Copy the ARN and save it somewhere you'll be able to find it later. This will be used for the IAM policy created below in Step 2 - Policy 2 CloudTrail.

    1.3.4 With your Queue still selected, click "Queue Actions" and select "Subscribe Queue to SNS Topic."

    1.3.5 In the dropdown choose the Topic you create in step 1.2.4 above. Click "Subscribe."

Step 2: Create an IAM role with the correct permissions

2.1 Create an IAM Role specifically for Threat Stack.

    2.1.1 Within the AWS Console, navigate to IAM>Roles. Click on "Create New Role."

    2.1.2 Give the new Role a name. Click "Next Step."

    2.1.3 Choose "Role for Cross-Account Access">"Provide access between your AWS account and a 3rd party AWS account." Click "Select."

    2.1.4 The next step requires you to retrieve an Account ID and External ID from Threat Stack. Login to Threat Stack and navigate to Settings>Integrations. In the section labeled "AWS Profiles" click "Add Profile." Copy the Account ID and External ID into the AWS Console. Click "Next Step." Do not close the "Add AWS Profile" window in the Threat Stack application. The External ID is uniquely generated for each profile and must match what you enter into AWS.


    2.1.5 At the "Attach Policy" step, do not attach any policy. You will be attaching a custom policy later. Click "Next Step."

    2.1.6 Review the information you entered and click "Create Role." Copy the Role ARN and save it somewhere you'll be able to find it later. 

2.2 Attach two custom policies to your Role.

    Policy #1 grants the read-only permissions required for Configuration Auditing and EC2 sync.

    Policy #2 grants permissions to pull messages off the SQS queue and read contents of the S3 bucket created for CloudTrail logs. You will need to add the ARN of the SQS queue and the name of the S3 bucket to this policy.

Policy 1 - Configuration Auditing and EC2 

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "Stmt1473955400000",
            "Effect": "Allow",
            "Action": [
            "Resource": [

Policy 2 - CloudTrail

 Note: Replace the items in RED, SQS Resource AWS AcctID:ARN and S3 Bucket name with the what you copied and saved in steps 1.3.3(SQS) and 1.1.6(S3) respectively.

    "Version": "2012-10-17",
    "Statement": [
            "Action": [
            "Effect": "Allow",
            "Resource": [
            "Action": [
            "Resource": [
"arn:aws:s3:::bucketname/*" ], "Effect": "Allow" } ] }

    2.2.1 On the IAM>Roles main page select the new role you created.

    2.2.2 Click on the "Permissions" tab and expand the "Inline Policies" section. Click "Create Role Policy."

    2.2.3 Select "Custom Policy" and then click "Select."

    2.2.4 Give the first policy a name. Paste in Policy #1 above and click "Apply Policy."

    2.2.5 Add Policy #2 using the same steps above. You will need to modify Policy #2 before saving Replace arn:aws:sqs:us-east-1:xxxxxxxxxxxx:queuename with the ARN for the SQS Queue you created in step 1.3 above. Insert the name of the Bucket you created in step 1.1 above here: arn:aws:s3:::bucketname/*

    2.2.6 Now click "Apply Policy."

Step 3: Set Up Integration in Threat Stack 

3.1 Navigate back to the "Add AWS Profile" modal window you opened in step 2.1.4 above. 

    3.1.1 (If you closed that window, login to Threat Stack, navigate to Settings>Integrations>Add Profile. You will need to ensure the External ID in the Add Profile window is added to the Trust Relationships for the Cross-Account Role you created.)

    3.1.2 Enter the ARN for the Cross-Account Role you created in AWS.

3.2 Give your AWS Profile a name. (This will become useful if you are adding more than one AWS account to Threat Stack.)

3.3 Check the box next to "EC2 Agent Correlation" to enable that feature. 

    3.3.1 Enter the AWS regions where you have EC2 instances. Please note: If you select a region where you have no instances, you may encounter an error.

3.4 Check the box next to "CloudTrail Integration" to enable that feature.

    3.4.1 Enter the name of the SQS Queue you created. (Enter only the name, not the entire ARN).

    3.4.2 Enter the name of the S3 Bucket you created.

    3.4.3 Select the Region where your SNS Topic/SQS Queue reside.

3.5 Check the box next to "Configuration Auditing" to enable that feature.

    3.5.1 Select the regions where you would like to perform configuration assessments.

3.6 Click "Add Profile.

3.7 Notice that your new profile has been added. In the "Status" column, the click icon will be replaced with a green checkmark when Threat Stack has successfully authenticated with AWS. This may take up to 10 minutes.


3.8 It may take up to 30 minutes before you begin seeing CloudTrail events. To verify:
    3.8.1 Navigate to the Events page.
    3.8.2 Type event_type="cloudtrail" and press Return.
    3.8.3 You will see CloudTrail events.

3.9 If you are not seeing CloudTrail events after 30 minutes have passed, click here for troubleshooting steps



Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Article is closed for comments.