If you're having trouble at any stage please contact us at support@skyformation.com.
Preface
The goal of this guide is to add a new Amazon Web Service (AWS) connector to your SkyFormation Platform.
Prerequisites
- Mandatory
(0) Open Outbound communication to *.amazonaws.com:443
(1) Have (or create) Cloud Trail for the AWS events history.
Follow the instructions at: Creating a Trail - AWS CloudTrail
Get the S3 bucket region, used by the CloudTrail (e.g. "US East" in the below example)
(2) Have (or create) a AWS IAM user that will be used by the SkyFormation connector to
integrate with AWS APIs and do the security monitoring.
The users attributes needed:
- Secret Access Key (e.g. see in the diagram an example)
- Access Key ID (e.g. see in the diagram an example)
Note: The Access Key ID and Secret Access Key in the diagram are not valid keys.
(3) The AWS IAM user mentioned above should have the following AWS Policies:
- For CloudTrail events:
AWSCloudTrailReadOnlyAccess
- For IAM events events:
IAMReadOnlyAccess
- For CloudWatch Logs events:
CloudWatchLogsReadOnlyAccess
- For CloudWatch events:
CloudWatchReadOnlyAccess
- For GuardDuty events:
AmazonGuardDutyReadOnlyAccess
- For CloudTrail Data Events (for the CloudTrail Data Events provided SQS Queue)
sqs:DeleteMessage
sqs:DeleteMessageBatch
sqs:ReceiveMessage
- For Macie alerts (for the Macie provided SQS Queue)
sqs:DeleteMessage
sqs:DeleteMessageBatch
sqs:ReceiveMessage
redshift:DescribeEvents
Audit logging is not enabled by default in Amazon Redshift. When you enable logging on your cluster, Amazon Redshift creates and uploads logs to Amazon S3 that capture data from the creation of the cluster to the present time. Each logging update is a continuation of the information that was already logged.
Audit logging to Amazon S3 is an optional, manual process.
The connection log, user log, and user activity log are enabled together by using the AWS Management Console.
For the user activity log, you must also enable the enable_user_activity_logging database parameter. If you enable only the audit logging feature, but not the associated parameter, the database audit logs will log information for only the connection log and user log, but not for the user activity log. The enable_user_activity_logging parameter is disabled (false) by default, but you can set it to true to enable the user activity log.
You will need to provide additional permissions, as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"redshift:DescribeEvents", ---> this is for Redshift events
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"iam:GetUser",
"redshift:DescribeClusterParameters"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::redshift-cluster-1-db-audit-log/*", --> here you need to specify all the S3 buckets that are used for the audit logging of Redshift. Note you need two permissions for each bucket, the first is "ListBucket" on the bucket and the second is "GetObject" for all the objects in that bucket. In this example we have 2 buckets "redshift-cluster-1-db-audit-log" and "redshift-bucket-3".
"arn:aws:s3:::redshift-bucket-3/*",
"arn:aws:s3:::redshift-cluster-1-db-audit-log",
"arn:aws:s3:::redshift-bucket-3"
]
}
]
}
- For Shield events:
shield:ListAttacks
- For Inspector events:
inspector:ListFindings
inspector:DescribeFindings
(4) For Flow Logs events enrichment the AWS IAM user mentioned above should have the
following AWS permissions:
In EC2 service add the below action:
DescribeInstances
In IAM service add the below action:
ListAccountAliases
- Optional
- Monitor S3 and Lambda Data events - See this guide for details
- Monitor AWS Macie alerts and events - See this guide
- Recommended
(1) Use a dedicated user for the SkyFormation AWS connector
Steps
1. Logon to your SkyFormation Platform:
2. Navigate via left navigation panel to "Settings" section
3. Navigate via New Settings left navigation panel to "Accounts" section
4. Click the "Add Account" bottom
5. At the "SELECT SERVICE TO ADD" choose "AWS Amazon"
You will see the below screen:
5. Fill in the following information:
- Account Name
Give this AWS cloud connector a meaningful name for you. This will become your cloud app
connector name displayed in the SkyFormation platform and added to entire
events sent to your SIEM/Log/Splunk system from this connector as identifier.
Example:
"AWS IaaS for US development"
- Description
Add any text that describe the specific cloud app connector function and meaning for the
business.
Example:
"AWS account used for cloud development needs"
- Sqs-Url
(Optional) The SQS Queue's URL where CloudTrail Data events are configured to go.
See this guide for details
- Macie-Sqs-Url
(Optional) The SQS Queue's URL where the AWS Macie events are configured to go.
See this guide for details
- Region
The region where the cloud-trail is configured
Example:
us-east-1
- Inspector Pull Mode
Optional parameter, relevant only if your account uses the AWS inspector service. The Available options are:
1) Full : choosing this option, you will receive the current inspector finding each time skyformation pulls for inspector information, regardless if a finding was previously reported by skyformation or not.
2) Unique: choosing this option, you will only receive events for inspector findings which are new i.e. were not reported by skyformation in the previous syncs.
For example, in time t0 skyformation pulled inspector and got findings a,b,c. Finding b was then corrected. Then, in time t1 skyformation pulled again and got findings a,b,d.
Choosing full mode, in t0 you will get events for findings a,b,c and in t1 you will get a,b,d.
Choosing unique mode, in t0 you will get events for findings a,b,c and in t1 you will get only d.
In versions prior to 2.4.89, the only authentication method that was available was via Access key & Secret -
- Access-Key
Put the IAM user's Access Key ID
Example:
AKIAJC2SG3G6ZSFYAPTA
- Secret-Key
Put the IAM user's Secret Access Key
Example:
XsyQVAut7wPYFpcWwSTtLgZ5SgT3PQJF8+1LTtr
Starting from version 2.4.89, you can select which authentication method to use,
either
1. "Basic", for the Access key & Secret (same as prior to 2.4.89)
2. "STSAssumeRole", which would require, in addition to the "Basic" [1] :
- Role ARN - the ARN of the role, which has the permissions above assigned to it
- Role session name - a unique name to identify the use of this role, e.g. "SkyFormation"
- External ID - Optional. A unique identifier that might be required when you assume a role in another account
- Account ID - the AWS account ID to which we're using these credentials to connect to; a 12 digit number
This is the recommended method for authentication by AWS. It also allows for cross-account access.
The credentials for the IAM user (i.e. "Basic") are used to authenticate with the user that will then assume the role. That user does not need any other permission other than the ability to assume the role specified
for further reading: https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html
3. "InstanceProfile", which would require:
- Account ID - the AWS account ID to which we're using these credentials to connect to; a 12 digit number
This is the recommended authentication method if the instance where SkyFormation runs is in AWS EC2, and the AWS account we want to collect data from is the same as the one where the machine is hosted.
To use this method, assign a role with the required permissions to the EC2 instance running the SkyFormation app
AWS Guide how to assign InstanceProfile, either via the web-UI (Console) on CLI - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
6. Click "SAVE" bottom
Make sure the "STATUS" of the new AWS connector in the table is OK and green.
Your are done !
Comments
0 comments
Please sign in to leave a comment.