Articles in this section

See more

SkyFormation for AWS Multi-Tenant Connector Overview

Avatar
Nadav Lavy (Greenberg)
  • Updated
Follow

If you're having trouble at any stage please contact us at support@skyformation.com

Preface

The goal of this guide is to add Amazon Web Service (AWS) Multi-Tenant connector to your SkyFormation Platform. This connector should be used if you are sending Cloudtrail audit events from multiple AWS accounts into a into a shared S3 bucket following the Amazon guide at: 
CloudTrail Receive Logs From Multiple Accounts

If you are using a standard AWS account with a its own private audit logs please use the standard AWS connector instead as described at: 
SkyFormation for AWS Cloud Connector Overview 

AWS is a suite of cloud services platform, provides Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) services. AWS helps organizations consume compute power and needed services, all without the need to buy or manage hardware.

But at the same time, the IaaS and SaaS public services presents the organization with new security challenges. 


The main challenges and needs are to:

  • Get and retain full audit of activities in AWS account
  • Retrieve the AWS account activities as IAM users, EC2 changes and data flows, events from PaaS services and many more.
  • The granular activities should be available at the organization’s central log or event management system for compliance, investigation or forensic needs.
  • Detect security threats and policy violations

What is it

SkyFormation Cloud Connector for AWS Multi-Tenant connector is part of the SkyFormation Cloud Connectors module. It continuously ingests audit events from a central single CloudTrail in a AWS account, that retrieves the CloudTrail events from multiple different AWS accounts. The connector will then unify the events into a common application events format, enrich the events with needed detection context as the AWS account source indication, and send the events to any existing SIEM/SOC system. 

How it works

SkyFormation Cloud Connector for AWS Multi-Tenant retrieves the events from the AWS service through its APIs. Before sending the events to the existing SIEM/SOC system the connector will

  • Unify the events into the SkyFormation unified application events format
  • Embed the origin event into the SkyFormation event
  • Complement the event with missing information
  • Enrich the event with detection context as AD identity information and the origin AWS account ID
  • Encode the resulted event into a standard format as CEF
  • Send the event to the existing SIEM/SOC system over syslog

AWS Multi-Tenant Audit Sources & Events Supported

Audit Source (API) Service/Module Covered Event Types Events included
CloudTrail Console Sign-in console login success/failed A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console.
  Additional Software & Services: AWS Marketplace    
  Analytics: , Amazon Athena, Amazon CloudSearch, Amazon EMR, AWS Data Pipeline, Amazon Kinesis Firehose, Amazon Kinesis Streams, Amazon QuickSight    
  Application Services: Amazon API Gateway, Amazon Elastic Transcoder, Amazon Elasticsearch Service, Amazon Simple Workflow Service, AWS Step Functions    
  Artificial Intelligence: Amazon Machine Learning, Amazon Polly    
  Business Productivity: Amazon WorkDocs    
  Compute: Amazon Elastic Compute Cloud (EC2), Application Auto Scaling, Auto Scaling, Amazon EC2 Container Registry, Amazon EC2 Container Service, AWS Elastic Beanstalk, Elastic Load Balancing, AWS Lambda    
  Database: Amazon DynamoDB, Amazon ElastiCache, Amazon Redshift, Amazon Relational Database Service    
  Desktop & App Streaming: Amazon WorkSpaces    
  Developers Tools: AWS CodeBuild, AWS CodeCommit, AWS CodeDeploy, AWS CodePipeline, AWS CodeStar    
  Game Development: Amazon GameLift    
  Internet Of Things (IOT): AWS IoT    
  Management Tools: AWS Application Discovery Service, AWS CloudFormation, AWS CloudTrail, Amazon CloudWatch Calls, AWS Config, AWS Managed Services, AWS OpsWorks, AWS OpsWorks for Chef Automate, AWS Organizations, AWS Service Catalog,    
  Messaging: Amazon Simple Email Service, Amazon Simple Notification Service, Amazon Simple Queue Service    
  Migration: AWS Database Migration Service, AWS Server Migration Service    
  Mobile Services: Amazon Cognito, AWS Device Farm    
  Networking & Content Delivery: Amazon CloudFront, AWS Direct Connect, Amazon Route 53, Amazon Virtual Private Cloud    
  Security, Identity & Compliance: AWS Identity and Access Management (IAM), AWS Key Management Service (KMS), AWS Security Token Service (STS), AWS Certificate Manager, Amazon Cloud Directory, AWS CloudHSM, AWS Directory Service, Amazon Inspector, AWS WAF    
  Storage: Amazon Simple Storage Service (S3), Amazon Elastic Block Store (EBS), Amazon Elastic File System (EFS), Amazon Glacier, AWS Storage Gateway    
  Support: AWS Personal Health Dashboard, AWS Support    

 

How to on-board AWS Multi-Tenant Connector to SkyFormation

Adding AWS Multi-Tenant Connector To SkyFormation Platform

 

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.