App Infrastructure Protection (AIP) integrates with Amazon Web Services (AWS), including CloudTrail. If you currently use AWS CloudTrail, then you can leverage your existing resources in your AIP Cloud Security Platform integration.
To enable KMS encryption using your own key, see Enabling Encryption for your CloudTrail Log Files.
- Administrator access to your AWS account
- Access to the AIP console with a configured AIP account
- A text editing program
- Existing AWS CloudTrail
- Existing AWS S3 bucket
- Existing SNS topic
Use side-by-side browser windows – one for AWS and one for AIP – to complete these instructions.
The AIP AWS integration requires access to a AIP-specific SQS Queue. To ensure you receive CloudTrail logs (SNS notifications), your AIP-specific SQS Queue must subscribe to your existing CloudTrail SNS topic.
The SQS Queue must be created and reside in the same AWS Region as the S3 bucket where CloudTrail logs are stored.
- In the AWS Console, go to Services > Application Integration > Simple Queue Service. The SQS page displays.
- Click the Create New Queue button. The Create New Queue page displays.
- In the Queue Name field, type a name for the standard queue. AIP recommends you match at least part of the SQS Queue name to your CloudTrail S3 bucket name, so the two are easy to correlate in the future.
- Click the Quick-Create Queue button. The SQS Queue page displays.
In the SQS Queue table, the new queue is selected and the Details tab displays.
- Open a text editing program and type “SQS Queue Name.”
- On the same line, copy the Name field and paste it in the text editing program.
- On the next line, type "SQS Queue ARN."
- On the same line, copy the ARN field and paste it in the text editing program.
The SQS ARN is part of the information needed for a AIP-specific IAM policy.
- In the AWS Console, confirm the new SQS queue is selected.
- Click the Queue Actions drop-down menu and select Subscribe Queue to SNS Topic.
The Subscribe to a Topic dialog opens.
- From the Choose a Topic drop-down menu, select the SNS topic associated with CloudTrail. The Topic ARN field automatically populates with the SNS ARN.
- Click the Subscribe button. The AIP-specific SQS queue now subscribes to all messages that are part of the SNS topic.
The AIP AWS profile includes a unique account ID and external ID. These IDs link the AIP AWS profile to the AWS integration.
You will complete the AIP AWS Profile after completing the creation of the AIP-specific AWS IAM role.
- Log into AIP.
- In the left navigation pane, click Settings. The Settings page displays
- Click Integrations. The Integrations page displays.
- In the AWS Integrations section, click the + Add AWS Integration button. The + Add AWS Integration dialog opens.
Do not close this dialog until the AWS integration is complete. The External ID is uniquely generated each time you add an AWS profile and must match the value entered during the AWS integration. If you click the close button, then a confirmation message displays in which you must acknowledge the close.
The AIP AWS profile authenticates in AWS using the IAM role created in this procedure.
- In the AWS Console, go to Services > Security, Identity, & Compliance > IAM. The Welcome to Identity and Access Management page displays.
- In the left navigation pane, click Roles. The Roles page displays.
- Click the Create role button. The Create role page displays.
- In the Trusted entity type section, click AWS Account.
- Select the This account (ID number) radio button, or select Another AWS account, then copy and paste the ID number of the account you want to add.
- In the Options section, select the Require external ID check box. Additional information displays.
- In the External ID field, copy and paste the External ID value from the AIP + Add AWS Account dialog.
- Click the Next: Permissions button. The Attach permissions policies page displays. Do not change any information on this page.
- Click the Next: Review button. The Review page displays.
- In the Role name field, type a role name. This is the name of the IAM role the AIP AWS Account will use to authenticate in AWS.
- Click the Create role button. The new AIP-specific IAM role creates. The Roles page displays.
- In the Search field, type the name of the IAM for the role you created in step 11, and press ENTER.
- Select the IAM role. The Summary page displays.
- Open the text editing program and type “IAM Role ARN.”
- On the same line, copy and paste the Role ARN.
The Role ARN will complete the AIP AWS Profile.
The AIP-specific AWS IAM role requires specific permissions to access data for the AIP AWS integration. In this procedure, you create a custom permission policy that grants the AIP-specific AWS IAM role:
- The read-only permissions required for AIP EC2 synchronization.
- Permissions to pull messages from the AIP-specific SQS Queue and read the contents of the CloudTrail S3 bucket.
- In the AWS Console, on the IAM Roles main page, select the IAM role you created in the “Create AIP-Specific AWS IAM Role” section.
- On the Permissions tab, click the + Add inline policy link.
The Create Policy page displays.
- Select the JSON tab.
- Copy and paste the following information:
- In the “arn-of-SQS-queue-goes-here” line, replace the text with the SQS Queue ARN copied into the text editing program.
- In the “arn:aws:s3:::bucketname/*” line, replace "bucketname" with the name of CloudTrail's S3 bucket name.
Do not remove the /* from the text. This is used as a wildcard.
- Click the Review policy button. The Review Policy page displays.
- In the Name field, type a name for the policy. AIP recommends using the same naming convention used throughout this process.
- Click the Create Policy button. The policy applies to the AIP-specific AWS IAM role. The Summary page displays.
Completing the AIP AWS Profile allows AIP to authenticate in AWS using the AIP-specific AWS IAM role.
- Go to the AIP + Add AWS Integration dialog from which you copied the account ID and external ID.
- In the Role ARN field, copy and paste the Role ARN value from the AWS Outputs section.
- In the Description field, type a description of the AIP AWS role. Type a description that identifies how the bucket relates to the AWS account, such as "production."
- In the EC2 Correlation section, from the Select Regions drop-down menu, select the region(s) in which your organization has an EC2 presence.
- Select the CloudTrail Integration check box. The CloudTrail fields become available.
- In the SQS Name (Source) field, type the SQS Queue value.
- In the S3 Bucket field, type the S3 Bucket value.
- From the Select Region drop-down menu, select the region(s) where the S3 bucket storing CloudTrail events resides.
Selecting a region that does not match the S3 bucket region causes the authentication of AIP in AWS using the IAM role for Cloud Trail to fail. Double-check your region selection.
- Verify the information entered and selected on the page is accurate.
- Click the Add AWS Integration button. The + Add AWS Integration dialog closes. The Integrations page displays. A “Profile Added Successfully” message displays and the new AWS profile displays in the AWS Integrations table. A clock icon displays in the EC2 Correlation Status column, indicating the profile is authenticating with AWS. This process may take several minutes.
In the Settings > Integrations tab > AWS Integrations table, in the row for the AWS profile, in the EC2 Correlation Status column, a green checkmark displays. That checkmark confirms that AIP successfully authenticated in AWS using the IAM role created for AWS.
- Get Started with CloudTrail Alerting.
AIP syncs CloudTrail events per customer every four minutes, and EC2 sync events per customer every eight minutes.