aws getting started guide (iam role) › wp-content › uploads › 2020 › 06 › expel... ·...
TRANSCRIPT
www.expel.io
AWS getting started guide (IAM role)
Version 5.0
May 12, 2020
www.expel.io2
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Step 1 — Creating AWS IAM role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Assume an IAM role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Step 2 — AWS Multi-Tenant integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Create a global CloudTrail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Create an SQS queue to receive S3 notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Update SQS queue permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configure S3 notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Grant Expel IAM role permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Step 3 — Configure AWS in Expel Workbench . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Register device in Expel Workbench . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
That’s it . Give yourself a pat on the back — you’re done! . . . . . . . . . . . . . . . . . . . . . . . . . 26
www.expel.io3
Overview
Organizations leveraging AWS may use multiple regions or accounts . If an organization is using many regions or accounts, it may be difficult to onboard all of them individually with Expel . This guide details how Expel can consume CloudTrail data for all AWS accounts and regions via one global CloudTrail .
There are three steps that must be completed:
1 . Creating AWS IAM Role
2 . AWS Single or Multi-Tenant Integration
3 . Integration with Expel Workbench™
Pre-requisites
An AWS account with permissions to create a CloudTrail, S3 Bucket, SQS (Simple Queue Service) queue, and modify IAM (Identity and Access Management) roles .
To create a global CloudTrail across multiple accounts, you must be using AWS Organizations otherwise, you will need to create one multi-region CloudTrail per AWS account .
Step 1 — Creating AWS IAM role
Assume an IAM roleA . Information that Expel needs (Figure 1)
Field Description
Account ID The ID of the AWS Account (how the customer connects to Expel’s AWS account; needed for onboarding but not needed in Workbench)
Role ARN The ARN (Amazon Resource Name) of the role that Expel will assume
Role Session Name The session name Expel will set when authenticating (Length is 2-64 upper and lowercase alphanumeric characters with no spaces; can use underscores or =,.@- ) . You will define this unique value, for example ExpelSession
External ID The external ID Expel needs to provide to prove we are acting on your behalf . You will define this unique value
Authn type stsassumerole
Figure 1
www.expel.io4
B . Log in to the AWS console and navigate to the IAM service . Use the Find Services search box, or expand All Services and look for IAM Service under Security, Identity, & Compliance (Figure 2)
Figure 2
C . Create an IAM Policy for Expel that manages the permissions for the user . Navigate to Policies and click Create Policy (Figure 3)
Figure 3
www.expel.io5
D . Add the required permissions to the policy . Select the JSON tab and copy and paste the text below; then press Review Policy (Figure 4 and Figure 5)
{ “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “VisualEditor0”, “Effect”: “Allow”, “Action”: [ “iam:GenerateCredentialReport”, “autoscaling:Describe*”, “ec2:DescribeInstances”, “ec2:DescribeRegions”, “iam:List*”, “logs:Describe*”, “cloudtrail:GetTrailStatus”, “iam:GenerateServiceLastAccessedDetails”, “cloudtrail:GetEventSelectors”, “guardduty:List*”, “cloudwatch:Describe*”, “iam:Get*”, “sns:Get*”, “iam:SimulatePrincipalPolicy”, “iam:SimulateCustomPolicy”, “cloudtrail:ListTags”, “cloudwatch:Get*”, “logs:FilterLogEvents”, “cloudtrail:LookupEvents”, “lambda:ListFunctions”, “logs:List*”, “cloudwatch:List*”, “guardduty:Get*”, “logs:TestMetricFilter”, “logs:Get*”, “cloudtrail:DescribeTrails”, “sns:List*”, “s3:ListAllMyBuckets”, “cloudtrail:ListPublicKeys”, “kms:ListAliases”, “iam:ListAccountAliases”, “s3:GetBucketLocation”, “rds:ListTagsForResource”, “rds:DescribeDBInstances” ], “Resource”: “*” } ]}
Figure 4
www.expel.io6
Figure 5
E . Review and Name (ExpelAPIPolicy, for example) the policy . Enter a Description for the policy and select Create Policy (Figure 6)
Figure 6
www.expel.io7
F . Create an IAM Role for Expel by navigating to IAM > Roles and press Create role (Figure 7)
Figure 7
G . Select Another AWS account and fill out the required fields . Then click Next:Permissions (Figure 8)
Account ID: 012205512454
External ID: Choose a unique value . We recommend generating a long, unique passphrase (Length=2 to 1224, no spaces . Alphanumeric and can use underscores, or any of the following characters: =, .@:/- )
Figure 8
www.expel.io8
H . Find (use search box or scroll) and attach (click check box) the IAM Policy we created earlier and then click Next:Tags (Figure 9)
Figure 9
I . On the next screen, click Next:Review to skip the optional Add tags step
J . Give the role a Name (for example, ExpelServiceRole), add a Description, and press Create Role (Figure 10)
Figure 10
www.expel.io9
K . After the role has been created, click on the new role name (ExpelServiceRole) to open the role Summary page (Figure 11)
Figure 11
L . On the Summary page, make a note of the Role ARN value as you will need this in future steps (Figure 12)
Figure 12
www.expel.io10
Step 2 — AWS Multi-Tenant integration
While following the steps below, please record the following information for later use (Figure 13)
Field Description
S3 Bucket ARN The identifier for the S3 bucket where CloudTrail logs are being sent (used during the onboarding process but not needed in Workbench)
SQS Region The AWS region that contains the SQS queue (ex: us-east-1)
SQS Queue ARN The identifier for the SQS queue receiving S3 notifications (used during the onboarding process but not needed in Workbench)
SQS Queue URL The URL for the SQS receiving S3 notifications
Figure 13
Create a global CloudTrailA . Log in to the AWS console . If you have multiple AWS accounts and use AWS Organizations, log into
your master account
B . Navigate to the CloudTrail service and create a new trail (Figure 14) . Note: Be sure to create the trail in the correct home region
Figure 14
www.expel.io11
C . When creating a new trail, ensure the radio dials are updated to “Yes” for Apply trail to all regions and Apply trail to my organization (if you are using AWS Organizations) — See Figure 15
Figure 15
D . Complete configuration of the trail, optionally enabling data events for S3 buckets/Lambda functions . Create a new S3 bucket and make note of it for later (Figures 15–19)
Figure 16
Figure 17
www.expel.io12
Figure 18
Figure 19
www.expel.io13
E . Click Create; then you will see a confirmation page (Figure 20)
Figure 20
F . From the Trails listing after creating the trail, make note of the name of the S3 bucket that contains the cloud trail logs (for example, XXXX-global-cloud-trail in example from Figure 20 above)
G . Navigate to the S3 service in the AWS console
H . On the S3 buckets list, click on the Buckets icon next to the cloud trail logs bucket . The property sheet will popup . Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your clipboard . You can paste this value temporarily into a text document for use later in these instructions — See Figure 21 (NOTE: in our example, the ARN was arn:aws:s3:::XXXX-global-cloud-trail)
Figure 21
www.expel.io14
Create an SQS queue to receive S3 notificationsIn order to consume CloudTrail data from an S3 bucket, Expel needs to be notified when new data is added to the bucket . In this step, we will create an SQS queue for those notifications .
Note: The SQS queue must be in the same account & region as the S3 bucket containing the CloudTrail data
I . Navigate to Simple Queue Service and click Get Started Now (if this is the first SQS queue you have created) or click Create New Queue if you already have other SQS Queues defined (Figure 22)
Figure 22
www.expel.io15
J . On the next screen, Queue Name is filled in as ExpelMasterCloudTrailNotify . Check the region is the Home Region, and select Standard Queue . Then press Quick-Create Queue (Figure 23)
Figure 23
K . Once the queue is created, record the SQS Queue ARN and URL for later (Figure 24)
Figure 24
www.expel.io16
In our example:SQS URL:https://sqs .us-east-1 .amazonaws .com/XXXXXXXXXXXX/ExpelMasterCloudTrailNotify
SQS ARN:arn:aws:sqs:us-east-1:XXXXXXXXXXXX:ExpelMasterCloudTrailNotify
Update SQS queue permissionsIn order for S3 to deliver notifications to the SQS queue, we have to update the permissions of the queue .
L . Select the Permissions tab and click “Edit Policy Document (advanced)” (Figure 25)
Figure 25
M . Update the policy JSON below and paste in, replacing the following fields:
■ <YOUR_DEFAULT_POLICY_ID_HERE>: This value will already be in the Policy Template when you click on Edit Policy Document (Advanced)
■ <YOUR_SQS_QUEUE_ARN_HERE>: Paste your SQS queue ARN here
■ <YOUR_S3_BUCKET_ARN_HERE>: Paste your S3 ARN here
SQS Policy Document
{ “Version”: “2012-10-17”, “Id”: “<YOUR_DEFAULT_POLICY_ID_HERE>”, “Statement”: [ { “Effect”: “Allow”, “Principal”: { “AWS”: “*” }, “Action”: “SQS:SendMessage”, “Resource”: “<YOUR_SQS_QUEUE_ARN_HERE>”, “Condition”: { “ArnLike”: { “aws:SourceArn”: “<YOUR_S3_BUCKET_ARN_HERE>” } } } ]}
See Figure 26 for a screenshot with our example values filled in
www.expel.io17
Figure 26
N . Click Review Policy (Figure 26), and then Save Changes (Figure 27)
Figure 27
www.expel.io18
Configure S3 notificationsO . Navigate to the S3 bucket containing your CloudTrail logs (created in Steps A-H above under Create a
global CloudTrail)
P . Navigate to Properties > Advanced Settings (Figure 28)
Figure 28
Q . Click on Events; then click on Add Notification
R . Give the event a Name, for example Notify Queue (see Figure 29 for Steps R-V)
S . Select the All object create events checkbox under Events
T . Select SQS Queue under Send to
U . Select the SQS queue you created in the previous steps, for example ExpelMasterCloudTrailNotify
www.expel.io19
Figure 29
V . Click Save
W . The next screen should show the Active notification under events (Figure 30)
Figure 30
www.expel.io20
Grant Expel IAM role permissionsX . Expel needs permissions on the SQS queue and S3 bucket to handle notifications and retrieve data
from the bucket . Navigate to the existing Expel Role . The following steps will guide you through adding the following permissions:
SQS Permissions
– sqs:DeleteMessage
– sqs:DeleteMessageBatch
– sqs:ReceiveMessage
S3 Permissions
– s3:GetObject
Y . For an Expel IAM Service Role, the steps for adding an inline policy to the Expel IAM Service Role are:
■ Go to the IAM services, select Roles, and select the role you created for the Expel IAM Service Role, ExpelServiceRole in this example; click on Add inline policy (Figure 31)
Figure 31
www.expel.io21
■ Click on the JSON tab (Figure 32)
Figure 32
■ Create a new inline policy document by replacing the following fields (Figure 33):
– <YOUR_SQS_QUEUE_ARN_HERE>: Paste your SQS queue ARN here
– <YOUR_S3_BUCKET_ARN_HERE>: Paste your S3 ARN here
Inline Policy Document
{“Version”: “2012-10-17”,“Statement”: [ { “Action”: [ “sqs:DeleteMessage”, “sqs:DeleteMessageBatch”, “sqs:ReceiveMessage” ], “Effect”: “Allow”, “Resource”: “<YOUR_QUEUE_ARN_HERE>” }, { “Action”: [ “s3:GetObject” ], “Effect”: “Allow”, “Resource”: “<YOUR_S3_BUCKET_ARN_HERE>/*” } ]}
www.expel.io22
With our example values filled in:
{“Version”: “2012-10-17”,“Statement”: [ { “Action”: [ “sqs:DeleteMessage”, “sqs:DeleteMessageBatch”, “sqs:ReceiveMessage” ], “Effect”: “Allow”, “Resource”: “arn:aws:sqs:us-east-1:XXXXXXXXXXXX: ExpelMasterCloudTrailNotify” }, { “Action”: [ “s3:GetObject” ], “Effect”: “Allow”, “Resource”: “arn:aws:s3:::XXXX-global-cloud-trail/*” } ]}
Figure 33
■ Paste the policy in the JSON tab and click on Review Policy (Figure 34)
Figure 34
www.expel.io23
■ Name the inline policy “ExpelMasterCloudTrailPolicy” and click Create Policy (Figure 35)
Figure 35
Z . That’s it! Now you’re ready to integrate AWS with Expel Workbench . You can do this directly within Workbench following the steps below, or provide the following information to your Expel Engagement Manager or Customer Success Engineer
■ SQS Region (ex: us-east-1)
■ Role ARN
■ Role Session Name
■ External ID
■ Authn type = stsassumerole
■ SQS Queue URL
www.expel.io24
Step 3 — Configure AWS in Expel Workbench
Now that we have gathered all the needed information, we can integrate AWS with Expel .
Register device in Expel WorkbenchA . In a new browser tab, login to https://workbench .expel .io
B . Enter Security Code from Google Authenticator (two-factor authentication)
C . On the console page, navigate to Settings and click Security Devices
D . At the top right of the page, select Add Security Device (Figure 36)
Figure 36
E . Search for and select Amazon Multi-Tenant (Figure 37)
Figure 37
F . Select an Assembler from the drop down (Choose the Assembler you set up in Step 2 of the Getting Started with Expel guide)
www.expel.io25
G . Enter Assembler Name and Location (examples in Figure 38 for Steps F and G)
Figure 38
H . Figure 39 lists the fields that need to be completed in Workbench:
Field Description
SQS Region The AWS region in use (ex: us-east-1)
Role ARN (from Step 1, letter L) The ARN (Amazon Resource Name) of the role that Expel will assume
Role Session Name The session name Expel will set when authenticating (Length is 2–64 upper and lowercase alphanumeric characters with no spaces; can use underscores or =,.@- )
External ID (from Step 1, letter G) The external ID Expel needs to provide to prove we are acting on your behalf
Authn type stsassumerole
SQS Queue URL (from Step 2, letter K)
The URL for the SQS receiving S3 notifications
Figure 39
www.expel.io26
I . Enter the data from the table above in the fields in Workbench as shown in Figure 40
Figure 40
J . Select Save
K . Backend configuration will take about 30min to complete then refresh the Security Devices page and you should see your device status reporting as Healthy, or if there is an issue, it will provide more details of what the issue may be
L . To check and see if alerts are coming through, navigate to Alerts on the console page . Click the icon in the upper right to switch to grid view, then check the list for AWS alerts
That’s it. Give yourself a pat on the back — you’re done!If you have any issues, concerns, questions or feedback,
please don’t hesitate to contact Expel at devicehealth@expel .io .