AWS Integrations: Add Configuration Auditing to existing CloudTrail and EC2 integration

This article assumes you have already setup the integration with CloudTrail and EC2. If you have not already done this step, go back to the AWS Integrations Overview page to access the instructions for enabling Configuration Auditing only.

Step 1: Add policy to Threat Stack IAM role

1.1 Login to the AWS console and navigate to the IAM role created for Threat Stack.

1.2 Attach the policy below. It grants the read-only permissions required for Configuration Auditing and EC2 sync.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1473955400000",
            "Effect": "Allow",
            "Action": [
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:ListPublicKeys",
                "cloudtrail:ListTags",
                "ec2:Describe*",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeSSLPolicies",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "iam:GenerateCredentialReport",
                "iam:GetAccountPasswordPolicy",
                "iam:GetCredentialReport",
                "iam:GetAccountSummary",
                "iam:ListAttachedUserPolicies",
                "iam:ListUsers",
                "kms:GetKeyRotationStatus",
                "kms:ListKeys",
                "rds:DescribeAccountAttributes",
                "rds:DescribeCertificates",
                "rds:DescribeEngineDefaultClusterParameters",
                "rds:DescribeEngineDefaultParameters",
                "rds:DescribeDBClusterParameterGroups",
                "rds:DescribeDBClusterParameters",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBInstances",
                "rds:DescribeDBLogFiles",
                "rds:DescribeDBParameterGroups",
                "rds:DescribeDBParameters",
                "rds:DescribeDBSecurityGroups",
                "rds:DescribeDBSnapshotAttributes",
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBSubnetGroups",
                "rds:DescribeEventCategories",
                "rds:DescribeEvents",
                "rds:DescribeEventSubscriptions",
                "rds:DescribeOptionGroups",
                "rds:DescribeOptionGroupOptions",
                "rds:DescribeOrderableDBInstanceOptions",
                "rds:DescribePendingMaintenanceActions",
                "rds:DescribeReservedDBInstances",
                "rds:DescribeReservedDBInstancesOfferings",
                "rds:ListTagsForResource",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "sns:GetEndpointAttributes",
                "sns:GetPlatformApplicationAttributes",
                "sns:GetSMSAttributes",
                "sns:GetSubscriptionAttributes",
                "sns:GetTopicAttributes",
                "sns:ListEndpointsByPlatformApplication",
                "sns:ListPlatformApplications",
                "sns:ListSubscriptions",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
} 

Step 2: Set Up Integration in Threat Stack 

2.1 Login to Threat Stack and navigate to Settings>Integrations.

2.2 Click the "edit" icon next to the AWS profile you want to assess. (You will have to perform this step for each profile).

2.3 Scroll to the bottom of the "Edit AWS Profile" window that appears.

    2.3.1 Check the box next to "Configuration Auditing" to enable the feature. 

    2.3.2 Add the AWS Regions you would like to be assessed.

    2.3.3 Click Save.

2.4 Navigate to the "Configuration Auditing" page in the left-hand nav.

2.5 Hit the button that says "Run" in the upper-right hand corner to perform your first assessment.

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.