AWS Manual Integration Setup

Follow

Introduction

Threat Stack integrates with Amazon Web Services (AWS). Threat Stack users can automatically set up an AWS integration through the CloudFormation method. However, if the user must understand each permission included in the Threat Stack AWS integration, then follow the procedures in this article to manually configure the AWS integration.

Prerequisites:

  • Administrator access to your AWS account
  • Access to the Threat Stack console with a configured Threat Stack account
  • A text editing program

Tip

Use side-by-side browser windows – one for AWS and one for Threat Stack – to complete these instructions.

1. Create a Trail, S3 Bucket, and SNS Topic

An AWS CloudTrail integration requires a unique S3 Bucket with a unique SNS Topic name.

  1. Log into the AWS Console and go to Services > Management Tools > CloudTrail. The Dashboard page displays.


    Dashboard.png

  2. In the left navigation pane, click Trails. The Trails page displays.


    TrailsPage.png

  3. Click the Create Trail button. The Create Trail page displays.


    CreateTrail.png

  4. In the Trail name field, type a name for the trail. This is the name of your CloudTrail configuration for Threat Stack.
  5. In the Apply trail to all regions section, confirm the Yes radio button is selected.
  6. In the Management events section, in the Read/Write events section, confirm the All radio button is selected.
  7. In the Storage Location section, in the Create a new S3 bucket section, confirm the Yes radio button is selected.
  8. In the S3 bucket field, type a name for the S3 bucket. Threat Stack recommends you match at least part of the S3 bucket name to the Trail name, so the two are easy to correlate in the future.

    Warning

    Do not click the Create button. If you click the Create button, then the AWS integration does not complete correctly.

  9. Create a new SNS Topic for the S3 bucket.


    StorLocationAdvLink.png

    1. Click the Advanced expand link. The Advanced options for logs and delivery display.
    2. In the Send SNS notification for every log final delivery section, select the Yes radio button. Additional fields display.
    3. In the Create a new SNS topic section, select the Yes radio button.
    4. In the SNS topic field, type an SNS topic name. Threat Stack recommends you match at least part of the SNS topic name to the Trail name, so the two are easy to correlate in the future.
  10. Click the Create button. AWS now contains a Threat Stack-specific CloudTrail S3 bucket and an SNS topic.
2. Create Threat Stack-Specific SQS Queue and Attach SNS Topic

The CloudTrail SQS Queue must subscribe to the CloudTrail SNS Topic to receive CloudTrail logs.

  1. In the AWS Console, go to Services > Application Integration > Simple Queue Service. The SQS page displays.


    CreateQueue.png

  2. Click the Create New Queue button. The Create New Queue page displays.


    CreateNewQueuePg.png

  3. In the Queue Name field, type a name for the standard queue. Threat Stack recommends you match at least part of the SQS Queue name to the CloudTrail S3 bucket name, so the two are easy to correlate in the future.
  4. Click the Quick-Create Queue button


    Quick-CreateQueue.png

    The SQS Queue page displays. In the SQS Queue table, the new queue is selected and the Details tab displays.

    SQSQueuePgDetails.png

  5. Open a text editing program and type “SQS Queue Name.”
  6. On the same line, copy the Name field and paste it in the text editing program.

    Note

    The SQS ARN is part of the information needed for the IAM policy.

  7. In the AWS Console, confirm the new SQS queue is selected.
  8. Click the Queue Actions drop-down menu and select Subscribe Queue to SNS Topic


    SubscribeQueueSNS.png

    The Subscribe to a Topic dialog opens.

    SubscribeToTopic.png

  9. From the Choose a Topic drop-down menu, select the SNS topic you created in procedure “Create CloudTrail S3 Bucket and SNS Topic”. The Topic ARN field automatically populates with the SNS ARN.
  10. Click the Subscribe button. The SQS queue now subscribes to all messages that are part of the SNS topic.
3. Begin Creation of Threat Stack AWS Profile

The Threat Stack AWS profile includes a unique account ID and external ID. These IDs link the Threat Stack AWS profile to the AWS configuration.

Note

You will complete the Threat Stack AWS Profile after completing the creation of the AWS IAM role.

  1. Log into Threat Stack.
  2. In the left navigation pane, click Settings. The Settings page displays.


    AWSProfileGetToIt.png

  3. Click the Integrations tab. The Integrations page displays.
  4. In the AWS Accounts section, click the + Add Account button. The + Add AWS Account dialog opens.

    Warning

    Do not close this dialog until the AWS integration is complete. The External ID is uniquely generated each time you add an AWS profile and must match the value entered during the AWS integration. If you click the close button, then a confirmation message displays in which you must acknowledge the close.

    AddAWSProfile.png

4. Create AWS IAM Role

The Threat Stack AWS profile authenticates in AWS using the IAM role created in this procedure.

  1. In the AWS Console, go to Services > Security, Identity, & Compliance > IAM. The Welcome to Identity and Access Management page displays.


    RoleDashboard.png

  2. In the left navigation pane, click Roles. The Roles page displays.


    RolesPage.png

  3. Click the Create role button. The Create role page displays.


    CreateRolePage.png

  4. In the Select type of trusted entity section, click Another AWS account. Additional information displays.
  5. In the Account ID field, copy and paste the Account ID value from the Threat Stack + Add AWS Account dialog.
  6. In the Options section, select the Require external ID check box. Additional information displays.


    CreateRoleOptionCheckBox.png

  7. In the External ID field, copy and paste the External ID value from the Threat Stack + Add AWS Account dialog.
  8. Click the Next: Permissions button. The Attach permissions policies page displays.


    AttachPermPoliciesPage.png

  9. Do not change any information on this page.
  10. Click the Next: Review button. The Review page displays.


    ReviewPage.png

  11. In the Role name field, type a role name. This is the name of the IAM role the Threat Stack AWS Account will use to authenticate in AWS.
  12. Click the Create role button. The new IAM role creates. The Roles page displays.


    IAMRoleSearch.png

  13. In the Search field, type the name of the IAM for the role you created in step 11, and press ENTER.
  14. Select the IAM role. The Summary page displays.


    RoleIAMSummaryPg.png

  15. Open the text editing program and type “IAM Role ARN.”
  16. On the same line, copy and paste the Role ARN.

    Note

    The Role ARN will complete the Threat Stack AWS Profile.

5. Create Two Custom Policies

The AWS IAM role requires specific permissions to access data for the Threat Stack AWS integration. In this procedure, you create two custom permission policies:

  • Policy 1 – Grant the IAM role the read-only permissions required for Threat Stack Configuration Auditing and EC2 synchronization.
  • Policy 2 – Grant the IAM role permissions to pull messages from the SQS queue and read the contents of the S3 bucket created for CloudTrail logs.
  1. In the AWS Console, on the IAM Roles main page, select the IAM role you created in the “Create AWS IAM Role” section.
  2. On the Permissions tab, click the + Add inline policy link


    AddInlineSummLink.png

    The Create Policy page displays.

    CreatePolicyPg.png

  3. Select the JSON tab.
  4. Copy and paste the following information:

    {
    "Version": "2012-10-17",

    "Statement": [

    {

    "Sid": "Stmt1473955400000",

    "Effect": "Allow",

    "Action": [

    "cloudtrail:DescribeTrails",

    "cloudtrail:GetTrailStatus",

    "cloudtrail:ListPublicKeys",

    "cloudtrail:ListTags",

    "ec2:Describe*",

    "elasticloadbalancing:DescribeInstanceHealth",

    "elasticloadbalancing:DescribeListeners",

    "elasticloadbalancing:DescribeLoadBalancerAttributes",

    "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",

    "elasticloadbalancing:DescribeLoadBalancerPolicies",

    "elasticloadbalancing:DescribeLoadBalancers",

    "elasticloadbalancing:DescribeRules",

    "elasticloadbalancing:DescribeSSLPolicies",

    "elasticloadbalancing:DescribeTags",

    "elasticloadbalancing:DescribeTargetGroupAttributes",

    "elasticloadbalancing:DescribeTargetGroups",

    "elasticloadbalancing:DescribeTargetHealth",

    "iam:GenerateCredentialReport",

    "iam:GetAccountPasswordPolicy",

    "iam:GetCredentialReport",

    "iam:GetAccountSummary",

    "iam:ListAttachedUserPolicies",

    "iam:ListUsers",

    "kms:GetKeyRotationStatus",

    "kms:ListKeys",

    "rds:DescribeAccountAttributes",

    "rds:DescribeCertificates",

    "rds:DescribeEngineDefaultClusterParameters",

    "rds:DescribeEngineDefaultParameters",

    "rds:DescribeDBClusterParameterGroups",

    "rds:DescribeDBClusterParameters",

    "rds:DescribeDBClusterSnapshots",

    "rds:DescribeDBClusters",

    "rds:DescribeDBInstances",

    "rds:DescribeDBLogFiles",

    "rds:DescribeDBParameterGroups",

    "rds:DescribeDBParameters",

    "rds:DescribeDBSecurityGroups",

    "rds:DescribeDBSnapshotAttributes",

    "rds:DescribeDBSnapshots",

    "rds:DescribeDBEngineVersions",

    "rds:DescribeDBSubnetGroups",

    "rds:DescribeEventCategories",

    "rds:DescribeEvents",

    "rds:DescribeEventSubscriptions",

    "rds:DescribeOptionGroups",

    "rds:DescribeOptionGroupOptions",

    "rds:DescribeOrderableDBInstanceOptions",

    "rds:DescribePendingMaintenanceActions",

    "rds:DescribeReservedDBInstances",

    "rds:DescribeReservedDBInstancesOfferings",

    "rds:ListTagsForResource",

    "s3:GetBucketAcl",

    "s3:GetBucketPolicy",

    "s3:ListAllMyBuckets",

    "s3:GetBucketLocation",

    "s3:GetBucketLogging",

    "sns:GetEndpointAttributes",

    "sns:GetPlatformApplicationAttributes",

    "sns:GetSMSAttributes",

    "sns:GetSubscriptionAttributes",

    "sns:GetTopicAttributes",

    "sns:ListEndpointsByPlatformApplication",

    "sns:ListPlatformApplications",

    "sns:ListSubscriptions",

    "sns:ListSubscriptionsByTopic",

    "sns:ListTopics"

    ],

    "Resource": [

    "*"

    ]

    }

    ]

    }

  5. Click the Review policy button. The Review Policy page displays.


    ReviewPolicy.png

  6. In the Name field, type a name for the first policy. Threat Stack recommends using the same naming convention used throughout this process.
  7. Click the Create Policy button. The first policy applies to the AWS IAM role. The Summary page displays.
  8. Repeat steps 1 – 3 for the second custom policy.
  9. Copy and paste the following text into the JSON tab:


    {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Action": [

    "sqs:GetQueueAttributes",

    "sqs:GetQueueUrl",

    "sqs:DeleteMessage",

    "sqs:ListQueues",

    "sqs:ReceiveMessage"

    ],

    "Effect": "Allow",

    "Resource": [

    "arn-of-SQS-queue-goes-here"

    ]

    },

    {

    "Action": [

    "s3:Get*",

    "s3:List*"

    ],

    "Resource": [

    "arn:aws:s3:::bucketname/*"

    ],

    "Effect": "Allow"

    }

    ]

    }

  10. In the “arn-of-SQS-queue-goes-here” line, replace the text with the SQS Queue ARN copied into the text editing program.
  11. In the “arn:aws:s3:::bucketname/*” line, replace the text with the S3 bucket name into the text editing program.

    Warning

    Do not remove the /* from the text. This is used as a wildcard.

  12. Click the Review policy button. The Review Policy page displays.
  13. In the Name field, type a name for the first policy. Threat Stack recommends using the same naming convention used throughout this process.
  14. Click the Create Policy button. The first policy applies to the AWS IAM role. The Summary page displays.
6. Integrate with Threat Stack

Completing the Threat Stack AWS Profile allows Threat Stack to authenticate in AWS using the IAM role.

  1. Go to the Threat Stack + Add AWS Accountdialog from which you copied the account ID and external ID.


    AWSProfileRoleARN.png

  2. In the Role ARN field, copy and paste the Role ARN value from the CloudFormation Outputs section.
  3. In the Description field, type a description of the Threat Stack AWS role. Type a description that identifies how the bucket relates to the AWS account, such as "production."
  4. In the EC2 Agent Correlation section, from the Select Regions drop-down menu, select the region(s) in which your organization has an EC2 presence.


    AWSProfileClickAdd.png

  5. Select the CloudTrail Integration check box. The CloudTrail fields become available.
  6. In the SQS Name (Source) field, type the SQS Queue value.
  7. In the S3 Bucket field, type the S3 Bucket value.
  8. From the Select Regions drop-down menu, select the region(s) where resources were deployed for integration. By default, the region is N. Virginia.

    Warning

    Selecting incorrect regions causes the authentication of Threat Stack in AWS using the IAM role for Cloud Trail to fail. Double-check your region selection.

  9. Select the Configuration Auditing check box. The Configuration Auditing field becomes available.
  10. From the Select Regions drop-down menu, select the region(s) in which your organization has resources.
  11. Verify the information entered and selected on the page is accurate.
  12. Click the Add AWS Account button. The + Add AWS Account dialog closes. The Integrations page displays. A “Profile Added Successfully” message displays and the new AWS profile displays in the AWS Account table. A clock icon displays in the Status column, indicating the profile is authenticating with AWS. This process may take several minutes.


    AWSProfileCheckBack.png

    Continue to the next section.

7. Confirm Integration

In the Settings > Integrations tab > AWS Accounts table, in the row for the AWS profile, in the Status column, a green checkmark displays. That checkmark confirms that Threat Stack successfully authenticated in AWS using the IAM role created for AWS.

AWSProfileComplete.png

Next Steps

  1. Perform your first Configuration Audit of AWS.
  2. Get Started with CloudTrail Alerting.

    Note

    Threat Stack pulls CloudTrail events every ten minutes and turns the events into Threat Stack alerts.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.