If you're having trouble at any stage please contact us at email@example.com.
The goal of this guide is to add Amazon Web Service (AWS) Multi-Tenant connector to your SkyFormation Platform. This connector should be used if you are sending Cloudtrail audit events from multiple AWS accounts into a into a shared S3 bucket following the Amazon guide at:
CloudTrail Receive Logs From Multiple Accounts
If you would like to ingest in some AWS accounts of yours the CloudWatch audit event, you will need to use the SkyFormation for AWS Connector , and on-board a cloud connector for each AWS account.
(0) Open Outbound communication to *.amazonaws.com:443
(1) Setup your AWS configuration to support the central CloudTrail settings. Follow the steps at:
How to Setup AWS to Send CloudTrail From Multiple AWS Accounts Into a Single Account
The SQS and S3 bucket attributes needed to add a SkyFormation AWS MT Connector are:
- SQS URL
- SQS Region
- S3 Bucket Region
(3) Have (or create) a AWS IAM user that will be used by the SkyFormation MT connector to integrate
with the AWS APIs and ingest the audit events.
The users attributes needed:
- Secret Access Key (e.g. see in the diagram an example)
- Access Key ID (e.g. see in the diagram an example)
Note: The Access Key ID and Secret Access Key in the diagram are not valid keys.
(3) The AWS IAM user mentioned above should have the AWS permissions specified in Mandatory->Step 1
1. Logon to your SkyFormation Platform:
2. Navigate via left navigation panel to "Settings" section
3. Navigate via New Settings left navigation panel to "Accounts" section
4. Click the "Add Account" bottom
5. At the "SELECT SERVICE TO ADD" choose "AWS-MultiTenant"
You will see the below screen:
5. Fill in the following information:
- Account Name
Give this AWS cloud connector a meaningful name for you. This will become your cloud app
connector name displayed in the SkyFormation platform and added to entire events sent to your
SIEM/Log/Splunk system from this connector as identifier.
"AWS EMEA Central Audit"
Add any text that describe the specific cloud app connector function and meaning for the business.
"AWS account for central cloudtrail audit in EMEA AWS accounts"
The URL of the SQS in use for the central audit.
Example (not a valid value to use)
The SQS region
Put the S3 bucket region name, from the S3 bucket used for the central cloud trail we use
Put the IAM user's Access Key ID
Put the IAM user's Secret Access Key
- Click "SAVE" bottom
Make sure the "STATUS" of the new AWS MT connector in the table is OK and green.
Your are done !