Threat Stack integrates with Amazon Web Services (AWS), including CloudTrail. If you currently use AWS CloudTrail, then you can leverage your existing resources in your Threat Stack Cloud Security PlatformⓇ integration.
To enable KMS encryption using your own key, please see the Enabling Encryption for your CloudTrail Log Files article.
- Administrator access to your AWS account
- Access to the Threat Stack console with a configured Threat Stack account
- A text editing program
- Existing AWS CloudTrail
- Existing AWS S3 bucket
- Existing SNS topic
Use side-by-side browser windows – one for AWS and one for Threat Stack – to complete these instructions.
The Threat Stack AWS integration requires access to a Threat Stack-specific SQS Queue. To ensure you receive CloudTrail logs (SNS notifications), your Threat Stack-specific SQS Queue must subscribe to your existing CloudTrail SNS topic.
The SQS Queue must be created and reside in the same AWS Region as the S3 bucket where CloudTrail logs are stored.
- In the AWS Console, go to Services > Application Integration > Simple Queue Service. The SQS page displays.
- Click the Create New Queue button. The Create New Queue page displays.
- In the Queue Name field, type a name for the standard queue. Threat Stack recommends you match at least part of the SQS Queue name to your CloudTrail S3 bucket name, so the two are easy to correlate in the future.
- Click the Quick-Create Queue button. The SQS Queue page displays.
In the SQS Queue table, the new queue is selected and the Details tab displays.
- Open a text editing program and type “SQS Queue Name.”
- On the same line, copy the Name field and paste it in the text editing program.
- On the next line, type "SQS Queue ARN."
- On the same line, copy the ARN field and paste it in the text editing program.
The SQS ARN is part of the information needed for a Threat Stack-specific IAM policy.
- In the AWS Console, confirm the new SQS queue is selected.
- Click the Queue Actions drop-down menu and select Subscribe Queue to SNS Topic.
The Subscribe to a Topic dialog opens.
- From the Choose a Topic drop-down menu, select the SNS topic associated with CloudTrail. The Topic ARN field automatically populates with the SNS ARN.
- Click the Subscribe button. The Threat Stack-specific SQS queue now subscribes to all messages that are part of the SNS topic.
The Threat Stack AWS profile includes a unique account ID and external ID. These IDs link the Threat Stack AWS profile to the AWS integration.
You will complete the Threat Stack AWS Profile after completing the creation of the Threat Stack-specific AWS IAM role.
- Log into Threat Stack.
- In the left navigation pane, click Settings. The Settings page displays.
- Click the Integrations tab. The Integrations page displays.
- In the AWS Accounts section, click the + Add Account button. The + Add AWS Account dialog opens.
Do not close this dialog until the AWS integration is complete. The External ID is uniquely generated each time you add an AWS profile and must match the value entered during the AWS integration. If you click the close button, then a confirmation message displays in which you must acknowledge the close.
The Threat Stack AWS profile authenticates in AWS using the IAM role created in this procedure.
- In the AWS Console, go to Services > Security, Identity, & Compliance > IAM. The Welcome to Identity and Access Management page displays.
- In the left navigation pane, click Roles. The Roles page displays.
- Click the Create role button. The Create role page displays.
- In the Select type of trusted entity section, click Another AWS account. Additional information displays.
- In the Account ID field, copy and paste the Account ID value from the Threat Stack + Add AWS Account dialog.
- In the Options section, select the Require external ID check box. Additional information displays.
- In the External ID field, copy and paste the External ID value from the Threat Stack + Add AWS Account dialog.
- Click the Next: Permissions button. The Attach permissions policies page displays.
- Do not change any information on this page.
- Click the Next: Review button. The Review page displays.
- In the Role name field, type a role name. This is the name of the IAM role the Threat Stack AWS Account will use to authenticate in AWS.
- Click the Create role button. The new Threat Stack-specific IAM role creates. The Roles page displays.
- In the Search field, type the name of the IAM for the role you created in step 11, and press ENTER.
- Select the IAM role. The Summary page displays.
- Open the text editing program and type “IAM Role ARN.”
- On the same line, copy and paste the Role ARN.
The Role ARN will complete the Threat Stack AWS Profile.
The Threat Stack-specific AWS IAM role requires specific permissions to access data for the Threat Stack AWS integration. In this procedure, you create a custom permission policy that grants the Threat Stack-specific AWS IAM role:
- The read-only permissions required for Threat Stack EC2 synchronization.
- Permissions to pull messages from the Threat Stack-specific SQS Queue and read the contents of the CloudTrail S3 bucket.
- In the AWS Console, on the IAM Roles main page, select the IAM role you created in the “Create Threat Stack-Specific AWS IAM Role” section.
- On the Permissions tab, click the + Add inline policy link.
The Create Policy page displays.
- Select the JSON tab.
- Copy and paste the following information:
- In the “arn-of-SQS-queue-goes-here” line, replace the text with the SQS Queue ARN copied into the text editing program.
- In the “arn:aws:s3:::bucketname/*” line, replace "bucketname" with the name of CloudTrail's S3 bucket name.
Do not remove the /* from the text. This is used as a wildcard.
- Click the Review policy button. The Review Policy page displays.
- In the Name field, type a name for the policy. Threat Stack recommends using the same naming convention used throughout this process.
- Click the Create Policy button. The policy applies to the Threat Stack-specific AWS IAM role. The Summary page displays.
Completing the Threat Stack AWS Profile allows Threat Stack to authenticate in AWS using the Threat Stack-specific AWS IAM role.
- Go to the Threat Stack + Add AWS Account dialog from which you copied the account ID and external ID.
- In the Role ARN field, copy and paste the Role ARN value from the AWS Outputs section.
- In the Description field, type a description of the Threat Stack AWS role. Type a description that identifies how the bucket relates to the AWS account, such as "production."
- In the EC2 Agent Correlation section, from the Select Regions drop-down menu, select the region(s) in which your organization has an EC2 presence.
- Select the CloudTrail Integration check box. The CloudTrail fields become available.
- In the SQS Name (Source) field, type the SQS Queue value.
- In the S3 Bucket field, type the S3 Bucket value.
- From the Select Regions drop-down menu, select the region(s) where the S3 bucket storing CloudTrail events resides.
Selecting a region that does not match the S3 bucket region causes the authentication of Threat Stack in AWS using the IAM role for Cloud Trail to fail. Double-check your region selection.
- Verify the information entered and selected on the page is accurate.
- Click the Add AWS Account button. The + Add AWS Account dialog closes. The Integrations page displays. A “Profile Added Successfully” message displays and the new AWS profile displays in the AWS Account table. A clock icon displays in the Status column, indicating the profile is authenticating with AWS. This process may take several minutes.
In the Settings > Integrations tab > AWS Accounts table, in the row for the AWS profile, in the Status column, a green checkmark displays. That checkmark confirms that Threat Stack successfully authenticated in AWS using the IAM role created for AWS.
- Get Started with CloudTrail Alerting.
Threat Stack pulls CloudTrail events every ten minutes and turns the events into Threat Stack alerts.