Cloud Management Console Monitoring
F5 Distributed Cloud App Infrastructure Protection (AIP) users can automatically set up an Amazon Web Service (AWS) integration through the CloudFormation template. When this integration completes, Distributed Cloud AIP authenticates in AWS using a Distributed Cloud AIP AWS Account linked to an AWS IAM role. Distributed Cloud AIP can then increase visibility into EC2 instances, and monitor and create alerts for CloudTrail events.
- Administrator access to your AWS account
- Access to the Distributed Cloud AIP console
Use side-by-side browser windows – one for AWS and one for Distributed Cloud AIP – to complete these instructions.
The Distributed Cloud AIP AWS account includes a unique account ID and external ID. These IDs link the Distributed Cloud AIP AWS account to the AWS configuration.
You will complete the Distributed Cloud AIP AWS Account after completing the creation of the AWS IAM role.
- Log into Distributed Cloud AIP.
- In the left navigation pane, click Settings. The Settings page displays.
- Click Integrations. The Integrations page displays.
- In the AWS Integrations section, click the + Add AWS Integration button. The + Add AWS Integration dialog opens.
Do not close this dialog until the AWS integration is complete. The External ID is uniquely generated each time you add an AWS account and must match the value entered during the AWS integration. If you click the close button, then a confirmation message displays in which you must acknowledge the close.
Users use the Distributed Cloud AIP CloudFormation template to configure AWS resources for use by Distributed Cloud AIP. The Distributed Cloud AIP CloudFormation template creates the following:
- An SNS topic
- An SQS queue
- An S3 bucket
- CloudTrail integration
- A third-party cross-account with an IAM role. The IAM role will be used to authenticate the Distributed Cloud AIP AWS account.
To configure AWS resources:
- Log into the AWS console as an administrator.
- In this document, click the Launch Stack button.
The AWS CloudFormation window opens and the Select Template page displays.
- On the top bar, from the region drop-down menu, select the appropriate region for deployment. By default, the selected region is N. Virginia.
- Verify the Specify an Amazon S3 template URL radio button is selected and the field contains the “https://threatstack-cloudformation.s3.amazonaws.com/threatstack_v2.json” path.
If you do not select the region in which the resources are located, then the integration will not successfully complete.
- Click the Next button. The Specify Details page displays.
- In the Parameters section, fill in the following fields:
- What is your provided Distributed Cloud AIP Account ID? – Copy and paste the Distributed Cloud AIP account ID from the Distributed Cloud AIP + Add AWS Integration dialog.
- What is your provided Distributed Cloud AIP External ID – Type or copy and paste the Distributed Cloud AIP external ID from the Distributed Cloud AIP + Add AWS Integration dialog.
- What is your desired S3 bucket name? – Type a name for the Distributed Cloud AIP S3 bucket to monitor. The S3 bucket is where Distributed Cloud AIP stores AWS events. The name must meet the following criteria:
- Unique across all of AWS. For example, if you name the S3 bucket "MyCompanyName," then no one else using AWS can create a "MyCompanyName" S3 bucket.
- Between 3 and 63 characters long
- Contain only a combination of lowercase letters, numbers, periods, and dashes.
- Is not the 101st S3 bucket for the AWS account.
AWS accounts only support 100 S3 buckets. Contact AWS to increase the S3 bucket limit for the AWS account.
- Click the Next button. The Options page displays.
- Do not enter any information. Filling out these fields may interfere with the monitoring and alerting operations of Distributed Cloud AIP.
- Click the Next button. The Review page displays.
- Verify the information displayed.
- In the Capabilities section, read the notification message and select the I acknowledged that AWS CloudFormation might create IAM resources check box.
- Click the Create button. The IAM role creates. The CloudFormation page displays.
- Click the Refresh button until the Status reads CREATE_COMPLETE.
- Click the stack name, then expand Outputs. The Outputs section displays.
Do not close the CloudFormation window or the Outputs section. The displayed information is necessary for the next step in the AWS integration.
Completing the Distributed Cloud AIP AWS Account allows Distributed Cloud AIP to authenticate in AWS using the IAM role.
- Go to the Distributed Cloud AIP + Add AWS Integration dialog from which you copied the account ID and external ID.
- In the Role ARN field, copy and paste the Role ARN value from the CloudFormation Outputs section.
- In the Description field, type a description of the Distributed Cloud AIP AWS role. Type a description that identifies how the bucket relates to the AWS account, such as "production."
- In the EC2 Correlation section, from the Select Regions drop-down menu, select the region(s) in which your organization has an EC2 presence.
- Select the CloudTrail Integration check box. The CloudTrail fields become available.
- In the SQS Name (Source) field, copy and paste the SQS Queue value from the CloudFormation Outputs section.
- In the S3 Bucket field, copy and paste the S3 Bucket value from the CloudFormation Outputs section.
- From the Select Regions drop-down menu, select the region(s) in which you deployed the CloudFormation template (Configure AWS Resources, step 3).
Selecting incorrect regions causes the authentication of Distributed Cloud AIP in AWS using the IAM role for Cloud Trail to fail. Double-check your region selection.
- Verify the information entered and selected on the page is accurate.
Do not fill out the Configuration Audit section of the form, or the installation will not complete.
- Click the Add AWS Integration button. The + Add AWS Integration dialog closes. The Integrations page displays. A “Account Added Successfully” message displays and the new AWS account displays in the AWS Integrations table. A clock icon displays in the EC2 Correlation Status column, indicating the account is authenticating with AWS. This process may take several minutes.
Go to the Distributed Cloud AIP Settings tab > Integrations tab > AWS Integrations table. In the row for the AWS profile, the EC2 Correlation Status column displays a green checkmark to confirm that Distributed Cloud AIP successfully authenticated in AWS using the IAM role created for AWS.
- Get Started with CloudTrail Alerting.
Distributed Cloud AIP syncs CloudTrail events per customer every four minutes, and EC2 sync events per customer every eight minutes.