If you're having trouble at any stage please contact us at firstname.lastname@example.org.
The goal of this guide is to add a new Amazon Web Service (AWS) connector to your SkyFormation Platform.
(0) Open Outbound communication to *.amazonaws.com:443
(1) Have (or create) Cloud Trail for the AWS events history.
Follow the instructions at: Creating a Trail - AWS CloudTrail
Get the S3 bucket region, used by the CloudTrail (e.g. "US East" in the below example)
(2) Have (or create) a AWS IAM user that will be used by the SkyFormation connector to
integrate with AWS APIs and do the security monitoring.
The users attributes needed:
- Secret Access Key (e.g. see in the diagram an example)
- Access Key ID (e.g. see in the diagram an example)
Note: The Access Key ID and Secret Access Key in the diagram are not valid keys.
(3) The AWS IAM user mentioned above should have the following AWS Policies:
- For CloudTrail events:
- For IAM events events:
- For CloudWatch Logs events:
- For CloudWatch events:
- For GuardDuty events:
- For CloudTrail Data Events (for the CloudTrail Data Events provided SQS Queue)
- For Macie alerts (for the Macie provided SQS Queue)
(4) For Flow Logs events enrichment the AWS IAM user mentioned above should have the
following AWS permissions:
In EC2 service add the below action:
In IAM service add the below action:
- Monitor S3 and Lambda Data events - See this guide for details
- Monitor AWS Macie alerts and events - See this guide
(1) Use a dedicated user for the SkyFormation AWS connector
1. Logon to your SkyFormation Platform:
2. Navigate via left navigation panel to "Settings" section
3. Navigate via New Settings left navigation panel to "Accounts" section
4. Click the "Add Account" bottom
5. At the "SELECT SERVICE TO ADD" choose "AWS Amazon"
You will see the below screen:
5. Fill in the following information:
- Account Name
Give this AWS cloud connector a meaningful name for you. This will become your cloud app
connector name displayed in the SkyFormation platform and added to entire
events sent to your SIEM/Log/Splunk system from this connector as identifier.
"AWS IaaS for US development"
Add any text that describe the specific cloud app connector function and meaning for the
"AWS account used for cloud development needs"
(Optional) The SQS Queue's URL where CloudTrail Data events are configured to go.
See this guide for details
(Optional) The SQS Queue's URL where the AWS Macie events are configured to go.
See this guide for details
The region where the cloud-trail is configured
Put the IAM user's Access Key ID
Put the IAM user's Secret Access Key
6. Click "SAVE" bottom
Make sure the "STATUS" of the new AWS connector in the table is OK and green.
Your are done !