AWS Integrations: Config Audit, and EC2 Sync only

This article will walk you through the setup for two of our three of our AWS integrations: AWS Configuration Auditing and EC2 Sync. If you wish to enable CloudTrail alerting as well, please return to our integrations overview page. 

There are two steps to this process:

  1. Create a Threat Stack-specific IAM Role with a custom policy attached.
  2. Tell Threat Stack where to look for the relevant AWS resources. 

Step 1: Create an IAM role with the correct permissions

1.1 Create an IAM Role specifically for Threat Stack.

    1.1.1 Within the AWS Console, navigate to IAM>Roles. Click on "Create New Role."

    1.1.2 Give the new Role a name. Click "Next Step."

    1.1.3 Choose "Role for Cross-Account Access">"Provide access between your AWS account and a 3rd party AWS account." Click "Select."

    1.1.4 The next step requires you to retrieve an Account ID and External ID from Threat Stack.

        1.1.4.1 Login to Threat Stack and navigate to Settings>Integrations.

        1.1.4.2 In the section labeled "AWS Profiles" click "Add Profile."

        1.1.4.3 Copy the Account ID and External ID into the AWS Console. Click "Next Step."

        1.1.4.4 Do not close the "Add AWS Profile" window in the Threat Stack application. The External ID is uniquely generated for each profile and must match what you enter into AWS.

   

    1.1.5 At the "Attach Policy" step, do not attach any policy. You will be attaching a custom policy later. Click "Next Step."

    1.1.6 Review the information you entered and click "Create Role." Copy the Role ARN and save it somewhere you'll be able to find it later. 

1.2 Attach the following custom policy to your Role. It grants the read-only permissions required for Configuration Auditing and EC2 sync. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1473955400000",
            "Effect": "Allow",
            "Action": [
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:ListPublicKeys",
                "cloudtrail:ListTags",
                "ec2:Describe*",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeSSLPolicies",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "iam:GenerateCredentialReport",
                "iam:GetAccountPasswordPolicy",
                "iam:GetCredentialReport",
                "iam:GetAccountSummary",
                "iam:ListAttachedUserPolicies",
                "iam:ListUsers",
                "kms:GetKeyRotationStatus",
                "kms:ListKeys",
                "rds:DescribeAccountAttributes",
                "rds:DescribeCertificates",
                "rds:DescribeEngineDefaultClusterParameters",
                "rds:DescribeEngineDefaultParameters",
                "rds:DescribeDBClusterParameterGroups",
                "rds:DescribeDBClusterParameters",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBInstances",
                "rds:DescribeDBLogFiles",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSecurityGroups",
                "rds:DescribeDBSnapshotAttributes",
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeEventCategories",
                "rds:DescribeEvents",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeOptionGroups",
                "rds:DescribeOptionGroupOptions",
                "rds:DescribeOrderableDBInstanceOptions",
                "rds:DescribePendingMaintenanceActions",
                "rds:DescribeReservedDBInstances",
                "rds:DescribeReservedDBInstancesOfferings",
                "rds:ListTagsForResource",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "sns:GetEndpointAttributes",
                "sns:GetPlatformApplicationAttributes",
                "sns:GetSMSAttributes",
                "sns:GetSubscriptionAttributes",
                "sns:GetTopicAttributes",
                "sns:ListEndpointsByPlatformApplication",
                "sns:ListPlatformApplications",
                "sns:ListSubscriptions",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

 

    1.2.1 On the IAM>Roles main page select the new role you created.

    1.2.2 Click on the "Permissions" tab and expand the "Inline Policies" section. Click "Create Role Policy."

    1.2.3 Select "Custom Policy" and then click "Select."

    1.2.4 Give the first policy a name. Paste in the policy above and click "Apply Policy."

Step 2: Set Up Integration in Threat Stack 

2.1 Navigate back to the "Add AWS Profile" modal window you opened in step 2.1.4 above. 

    2.1.1 (If you closed that window, login to Threat Stack, navigate to Settings>Integrations>Add Profile. You will need to ensure the External ID in the Add Profile window is added to the Trust Relationships for the Cross-Account Role you created.)

    2.1.2 Enter the ARN for the Cross-Account Role you created in AWS.

2.2 Give your AWS Profile a name. (This will become useful if you are adding more than one AWS account to Threat Stack.)

2.3 Check the box next to "EC2 Agent Correlation" to enable that feature. 

    2.3.1 Enter the AWS regions where you have EC2 instances. Please note: If you select a region where you have no instances, you may encounter an error.

 

2.4 Check the box next to "Configuration Auditing" to enable that feature.

    2.4.1 Select the regions where you would like to perform configuration assessments.

2.5 Click "Add Profile.

2.6 Notice that your new profile has been added. In the "Status" column, the click icon will be replaced with a green checkmark when Threat Stack has successfully authenticated with AWS. This may take up to 10 minutes.

 

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.