AWS Integrations: Add CloudTrail to existing Config Audit/EC2 Integration

This article will walk you through the process of adding CloudTrail Alerting to an existing Configuration Auditing and EC2 Integration. If you have not previously enabled Configuration Auditing/EC2 Integration in your Threat Stack account, please return to the AWS Integrations Overview page. 

There are three steps to this process:

  1. Create a Threat Stack-specific CloudTrail and associated S3 Bucket, SNS Topic and SQS Queue.
  2. Update your Threat Stack-specific IAM Role with an additional policy.
  3. Tell Threat Stack where to look for the relevant AWS resources.

Step 1: Create CloudTrail, S3 Bucket, SNS Topic, and SQS Queue

1.1 Create a Threat Stack-specific CloudTrail Trail and associated S3 Bucket.

    1.1.1 Login to the AWS Console and navigate to CloudTrail>Trails.

    1.1.2 Click on "Add New Trail."

    1.1.3 Give the new trail a name.

    1.1.4 Ensure "Apply trail to all regions" is set to "yes."

    1.1.5 Ensure "Create a new S3 bucket" is set to "yes."

    1.1.6 Give the S3 bucket a name. Save the bucket name somewhere you'll be able to find it later.

    1.1.7 Do not click "create."

1.2 Create a new SNS Topic for this Trail

    1.2.1 Click "Advanced" to send a notification when new log files are delivered via SNS.

    1.2.2 Set "Send SNS notification for every log file delivery" to "yes."

    1.2.3 Set "Create a new SNS topic" to "yes."

    1.2.4 Give the new SNS topic a name. Save the topic name somewhere you'll be able to find it later.

    1.2.5 Click the "Create" button for the new trail. 

1.3 Create a Threat Stack-specific SQS Queue 

    1.3.1 Navigate to SQS>Create New Queue (SQS is grouped with Application Services).

    1.3.2 Give the Queue a name and click "Create."

    1.3.3 You will be returned to the main SQS page. Find the Queue you just created and select it. Copy the ARN and save it somewhere you'll be able to find it later. 

    1.3.4 With your Queue still selected, click "Queue Actions" and select "Subscribe Queue to SNS Topic."

    1.3.5 In the dropdown choose the Topic you create in step 1.2.4 above. Click "Subscribe."

Step 2: Add permissions to the Threat Stack IAM role

2.1 Navigate to the IAM Role previously created for Threat Stack.

    2.1.1 If you want to confirm the ARN, within the Threat Stack application, navigate to Settings>Integrations to access the ARN that is integrated with Threat Stack.

  2.2 Attach the custom policy below to your Role. It  grants permissions to pull messages off the SQS queue and read contents of the S3 bucket created for CloudTrail logs. You will need to add the ARN of the SQS queue and the name of the S3 bucket to this policy.

    2.2.1 On the IAM>Roles main page select the Threat Stack Role you use for Configuration Auditing.

    2.2.2 Click on the "Permissions" tab and expand the "Inline Policies" section. Click "Click here" or "Create Role Policy."

    2.2.3 Select "Custom Policy" and then click "Select."

    2.2.4 Give the policy a name. Paste the policy from above and click "Apply Policy."

 Note: Replace the items in RED, SQS Resource ARN and S3 Bucket name with the what you copied and saved in steps 1.3.3(SQS) and 1.1.6(S3) respectively.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:GetQueueAttributes",
                "sqs:GetQueueUrl",
                "sqs:DeleteMessage",
                "sqs:ListQueues",
                "sqs:ReceiveMessage"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn-of-SQS-queue-goes-here"
             ]
        },
        {
            "Action": [
                 "s3:Get*",
                 "s3:List*"
            ],
            "Resource": [
"arn:aws:s3:::bucketname/*" ], "Effect": "Allow" } ] }

Step 3: Set Up Integration in Threat Stack 

3.1 In the Threat Stack application, navigate to Settings>Integrations>AWS Profiles and click the pencil icon next to the profile you are adding CloudTrail permissions to.

3.2 Check the box next to "CloudTrail Integration" to enable that feature.

    3.2.1 Enter the name of the SQS Queue you created. (Enter only the name, not the entire ARN).

    3.2.2 Enter the name of the S3 Bucket you created.

    3.2.3 Select the Region where your SNS Topic/SQS Queue reside.

3.3 Click "Save."

 

3.4 You should begin to see CloudTrail events within 30 minutes. 
    3.4.1 Go to the Events screen.
    3.4.2 Type event_type="cloudtrail" and press Return.
    3.4.3 You will see CloudTrail messages.

3.5 If you are not seeing CloudTrail events after 30 minutes have passed, click here for troubleshooting steps

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.