Threat Stack users can automatically set up an AWS integration through the CloudFormation template. When this integration completes, Threat Stack authenticates in AWS using a Threat Stack AWS Account linked to an AWS IAM role. Threat Stack can then increase visibility into EC2 instances, and monitor and create alerts for CloudTrail events.
- Administrator access to your Amazon Web Service (AWS) account
- Access to the Threat Stack console
Use side-by-side browser windows – one for AWS and one for Threat Stack – to complete these instructions.
The Threat Stack AWS account includes a unique account ID and external ID. These IDs link the Threat Stack AWS account to the AWS configuration.
You will complete the Threat Stack AWS Account after completing the creation of the AWS IAM role.
To begin the creation of a Threat Stack AWS account:
- Log into Threat Stack.
- In the left navigation pane, click Settings. The Settings page displays.
- Click the Integrations tab. The Integrations page displays.
- In the AWS Accounts section, click the + Add AWS Account button. The + Add AWS Account dialog opens.
Do not close this dialog until the AWS integration is complete. The External ID is uniquely generated each time you add an AWS account and must match the value entered during the AWS integration. If you click the close button, then a confirmation message displays in which you must acknowledge the close.
Continue to the next section.
Users use the Threat Stack CloudFormation template to configure AWS resources for use by Threat Stack. The Threat Stack CloudFormation template creates the following:
- An SNS topic
- An SQS queue
- An S3 bucket
- CloudTrail integration
- A third-party cross-account with an IAM role. The IAM role will be used to authenticate the Threat Stack AWS account.
To configure AWS resources:
- Log into the AWS console as an administrator.
- In this document, click the Launch Stack button.
The AWS CloudFormation window opens and the Select Template page displays.
- On the top bar, from the region drop-down menu, select the appropriate region for deployment. By default, the selected region is N. Virginia.
- Verify the Specify an Amazon S3 template URL radio button is selected and the field contains the “https://threatstack-cloudformation.s3.amazonaws.com/threatstack_v2.json” path.
If you do not select the region in which the resources are located, then the integration will not successfully complete.
- Click the Next button. The Specify Details page displays.
- In the Parameters section, fill in the following fields:
- What is your provided Threat Stack Account ID? – Copy and paste the Threat Stack account ID from the Threat Stack + Add AWS Account dialog.
- What is your provided Threat Stack External ID – Type or copy and paste the Threat Stack external ID from the Threat Stack + Add AWS Account dialog.
- What is your desired S3 bucket name? – Type a name for the Threat Stack S3 bucket to monitor. The S3 bucket is where Threat Stack stores AWS events. The name must meet the following criteria:
- Unique across all of AWS. For example, if you name the S3 bucket "MyCompanyName," then no one else using AWS can create a "MyCompanyName" S3 bucket.
- Between 3 and 63 characters long
- Contain only a combination of lowercase letters, numbers, periods, and dashes.
- Is not the 101st S3 bucket for the AWS account.
AWS accounts only support 100 S3 buckets. Contact AWS to increase the S3 bucket limit for the AWS account.
- Click the Next button. The Options page displays.
- Do not enter any information. Filling out these fields may interfere with the monitoring and alerting operations of Threat Stack.
- Click the Next button. The Review page displays.
- Verify the information displayed.
- In the Capabilities section, read the notification message and select the I acknowledged that AWS CloudFormation might create IAM resources check box.
- Click the Create button. The IAM role creates. The CloudFormation page displays.
- Click the Refresh button until the Status reads CREATE_COMPLETE.
- Click the stack name, then expand Outputs. The Outputs section displays.
Do not close the CloudFormation window or the Outputs section. The displayed information is necessary for the next step in the AWS integration.
Continue to the next section.
Completing the Threat Stack AWS Account allows Threat Stack to authenticate in AWS using the IAM role.
- Go to the Threat Stack + Add AWS Account dialog from which you copied the account ID and external ID.
- In the Role ARN field, copy and paste the Role ARN value from the CloudFormation Outputs section.
- In the Description field, type a description of the Threat Stack AWS role. Type a description that identifies how the bucket relates to the AWS account, such as "production."
- In the EC2 Agent Correlation section, from the Select Regions drop-down menu, select the region(s) in which your organization has an EC2 presence.
- Select the CloudTrail Integration check box. The CloudTrail fields become available.
- In the SQS Name (Source) field, copy and paste the SQS Queue value from the CloudFormation Outputs section.
- In the S3 Bucket field, copy and paste the S3 Bucket value from the CloudFormation Outputs section.
- From the Select Regions drop-down menu, select the region(s) in which you deployed the CloudFormation template (Configure AWS Resources, step 3).
Selecting incorrect regions causes the authentication of Threat Stack in AWS using the IAM role for Cloud Trail to fail. Double-check your region selection.
- Verify the information entered and selected on the page is accurate.
Do not fill out the Configuration Audit section of the form, or the installation will not complete.
- Click the Add AWS Account button. The + Add AWS Account dialog closes. The Integrations page displays. A “Account Added Successfully” message displays and the new AWS account displays in the AWS Accounts table. A clock icon displays in the Status column, indicating the account is authenticating with AWS. This process may take several minutes.
Continue to the next section.
In the Settings > Integrations tab > AWS Accounts table, in the row for the AWS account, in the Status column, a green checkmark displays. That checkmark confirms that Threat Stack successfully authenticated in AWS using the IAM role created for AWS.
- Get Started with CloudTrail Alerting.
Threat Stack pulls CloudTrail events every ten minutes and turns the events into Threat Stack alerts.