aws getting started guide (iam user) · click on the copy bucket arn button . this will copy the...
TRANSCRIPT
www.expel.io
AWS getting started guide (IAM user)
Version 5.0
May 12, 2020
www.expel.io2
Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Step 1 — Creating AWS IAM user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Static IAM user credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Step 2 — AWS Multi-Tenant integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Create a global CloudTrail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Create an SQS queue to receive S3 notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Update SQS queue permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configure S3 notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Grant Expel IAM user permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Step 3 — Configure AWS in Expel Workbench . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Register device in Expel Workbench . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
That’s it . Give yourself a pat on the back — you’re done! . . . . . . . . . . . . . . . . . . . . . . . . . 25
www.expel.io3
Overview
Organizations leveraging AWS may use multiple regions or accounts . If an organization is using many regions or accounts, it may be difficult to onboard all of them individually with Expel . This guide details how Expel can consume CloudTrail data for all AWS accounts and regions via one global CloudTrail .
There are three steps that must be completed:
1 . Creating AWS IAM user
2 . AWS Single or Multi-Tenant integration
3 . Integration with Expel Workbench™
Pre-requisites
An AWS account with permissions to create a CloudTrail, S3 Bucket, SQS (Simple Queue Service) Queue, and modify IAM (Identity and Access Management) users .
To create a global CloudTrail across multiple accounts, you must be using AWS Organizations; otherwise, you’ll need to create one multi-region CloudTrail per AWS account .
Step 1 — Creating AWS IAM user
Static IAM user credentialsA . Information that Expel needs (Figure 1)
Field Description
Access Key Access key for an IAM user with the required permissions
Secret Key Secret key for an IAM user with the required permissions
Authn type basic
Figure 1
www.expel.io4
B . Log in to the AWS console and navigate to the IAM service . Use the Find Services search box, or expand All Services and look for IAM Service under Security, Identity, & Compliance (Figure 2)
Figure 2
C . Create an IAM Policy for Expel that manages the permissions for the user . Navigate to Policies and click Create Policy (Figure 3)
Figure 3
www.expel.io5
D . Add the required permissions to the policy . Select the JSON tab and copy and paste the text below, then press Review Policy (Figure 4 and Figure 5)
{“Version”: “2012-10-17”,“Statement”: [{“Sid”: “VisualEditor0”,“Effect”: “Allow”,“Action”: [“iam:GenerateCredentialReport”,“autoscaling:Describe*”,“ec2:DescribeInstances”,“ec2:DescribeRegions”,“iam:List*”,“logs:Describe*”,“cloudtrail:GetTrailStatus”,“iam:GenerateServiceLastAccessedDetails”,“cloudtrail:GetEventSelectors”,“guardduty:List*”,“cloudwatch:Describe*”,“iam:Get*”,“sns:Get*”,“iam:SimulatePrincipalPolicy”,“iam:SimulateCustomPolicy”,“cloudtrail:ListTags”,“cloudwatch:Get*”,“logs:FilterLogEvents”,“cloudtrail:LookupEvents”,“lambda:ListFunctions”,“logs:List*”,“cloudwatch:List*”,“guardduty:Get*”,“logs:TestMetricFilter”,“logs:Get*”,“cloudtrail:DescribeTrails”,“sns:List*”,“s3:ListAllMyBuckets”,“cloudtrail:ListPublicKeys”,“kms:ListAliases”,“iam:ListAccountAliases”,“s3:GetBucketLocation”,“rds:ListTagsForResource”,“rds:DescribeDBInstances”],“Resource”: “*”}]}
Figure 4
www.expel.io6
Figure 5
E . Review and Name (ExpelAPIPolicy, for example) the policy . Enter a Description for the policy and press Create Policy (Figure 6)
Figure 6
www.expel.io7
F . Create an IAM User for Expel by navigating to IAM >Users and press Add User (Figure 7)
Figure 7
G . Provide the User name (for example, ExpelAPI) and enable programmatic access . Then press Next: Permissions (Figure 8)
Figure 8
www.expel.io8
H . On the next screen, find and attach the Expel IAM Policy created earlier to the IAM User . Then press Next: Tags (Figure 9)
Figure 9
I . On the next screen, click Next:Review to skip the optional Add tags step
J . Review the user details and press Create user (Figure 10)
Figure 10
www.expel.io9
K . Once the user has been created, you will be presented with the access key and secret . This will be the only time you can view the Secret Access Key, so make sure to save the Access Key ID and Secret Access Key in a safe place. Expel will need them later to authenticate as this user (Figure 11)
Figure 11
Step 2 — AWS Multi-Tenant integration
While working through the steps below, please record the following information for later use (Figure 12)
Field Description
S3 Bucket ARN The identifier for the S3 bucket where CloudTrail logs are being sent (used during the onboarding process but not needed in Workbench)
SQS Region The AWS region that contains the SQS queue (ex: us-east-1)
SQS Queue ARN The identifier for the SQS queue receiving S3 notifications (used during the onboarding process but not needed in Workbench)
SQS Queue URL The URL for the SQS receiving S3 notifications (used during the onboarding process but not needed in Workbench)
Figure 12
www.expel.io10
Create a global CloudTrailA . Log in to the AWS console . If you have multiple AWS accounts and use AWS Organizations, log into
your master account
B . Navigate to the CloudTrail service and create a new trail (Figure 13) . Note: Be sure to create the trail in the correct home region
Figure 13
C . When creating a new trail, ensure the radio dials are updated to “Yes” for Apply trail to all regions and Apply trail to my organization (if you are using AWS Organizations) — See Figure 14
Figure 14
www.expel.io11
D . Complete configuration of the trail, optionally enabling data events for S3 buckets/ Lambda functions . Create a new S3 bucket and make note of it for later (Figures 14–18)
Figure 15
Figure 16
Figure 17
www.expel.io12
Figure 18
E . Click Create, then you will see a confirmation page (Figure 19)
Figure 19
F . From the Trails listing after creating the trail, make note of the name of the S3 bucket that contains the cloud trail logs (for example, XXXX-global-cloud-trail in Figure 19 above)
G . Navigate to the S3 service in the AWS console
H . On the S3 buckets list, click on the Buckets icon next to the cloud trail logs bucket . The property sheet will popup . Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your clipboard . You can paste this value temporarily into a text document for use later in these instructions — See Figure 20 (NOTE: in our example, the ARN was arn:aws:s3:::XXXX-global-cloud-trail)
www.expel.io13
Figure 20
Create an SQS queue to receive S3 notificationsIn order to consume CloudTrail data from an S3 bucket, Expel needs to be notified when new data is added to the bucket . In this step, we will create an SQS queue for those notifications .
Note: The SQS queue must be in the same account & region as the S3 bucket containing the CloudTrail data
www.expel.io14
I . Navigate to Simple Queue Service and click Get Started Now (if this is the first SQS queue you have created) or click Create New Queue if you already have other SQS Queues defined (Figure 21)
Figure 21
J . On the next screen, Queue Name is filled in as ExpelMasterCloudTrailNotify . Check the region is the Home Region, and select Standard Queue . Then press Quick-Create Queue (Figure 22)
Figure 22
www.expel.io15
K . Once the queue is created, record the SQS Queue ARN and URL for later (Figure 23)
Figure 23
In our example:
SQS URL: https://sqs .us-east-1 .amazonaws .com/XXXXXXXXXXXX/ExpelMasterCloudTrailNotify
SQS ARN: arn:aws:sqs:us-east-1:XXXXXXXXXXXX:ExpelMasterCloudTrailNotify
www.expel.io16
Update SQS queue permissionsIn order for S3 to deliver notifications to the SQS queue, we have to update the permissions of the queue .
L . Select the Permissions tab and click “Edit Policy Document (advanced)” (Figure 24)
Figure 24
M . Update the policy JSON below and paste in, replacing the following fields:
■ <YOUR_DEFAULT_POLICY_ID_HERE>: This value will already be in the Policy Template when you click on Edit Policy Document (Advanced)
■ <YOUR_SQS_QUEUE_ARN_HERE>: Paste your SQS queue ARN here
■ <YOUR_S3_BUCKET_ARN_HERE>: Paste your S3 ARN here
SQS Policy Document
{ “Version”: “2012-10-17”, “Id”: “<YOUR_DEFAULT_POLICY_ID_HERE>”, “Statement”: [ { “Effect”: “Allow”, “Principal”: { “AWS”: “*” }, “Action”: “SQS:SendMessage”, “Resource”: “<YOUR_SQS_QUEUE_ARN_HERE>”, “Condition”: { “ArnLike”: { “aws:SourceArn”: “<YOUR_S3_BUCKET_ARN_HERE>” } } } ]}
www.expel.io17
See Figure 25 for screenshot with our example values filled in .
Figure 25
N . Click Review Policy (Figure 25), and then Save Changes (Figure 26)
Figure 26
www.expel.io18
Configure S3 notificationsO . Navigate to the S3 bucket containing your CloudTrail logs (created in Steps A-H above, under Create a
global CloudTrail) .
P . Navigate to Properties > Advanced Settings (Figure 27)
Figure 27
Q . Click on Events and then click on Add Notification
R . Give the event a Name, for example Notify Queue (see Figure 28 for Steps R-V)
S . Select the All object create events checkbox under Events
T . Select SQS Queue under Send to
U . Select the SQS queue you created in the previous steps, for example ExpelMasterCloudTrailNotify
www.expel.io19
Figure 28
V . Click Save
W . The next screen should show the Active notification under Events (Figure 29)
Figure 29
www.expel.io20
Grant Expel IAM user permissionsX . Expel needs permissions on the SQS queue and S3 bucket to handle notifications and retrieve data
from the bucket . Navigate to the existing Expel IAM user . The following steps will guide you through adding the following permissions:
SQS Permissions
– sqs:DeleteMessage
– sqs:DeleteMessageBatch
– sqs:ReceiveMessage
S3 Permissions
– s3:GetObject
Y . For a Static IAM User, the steps for adding an inline policy to the Expel user directly are:
■ Go to the IAM services, select Users, and select the user you created for the Static IAM User Credentials, ExpelAPI in this example . Click on Add inline policy (Figure 30)
Figure 30
www.expel.io21
■ Click on the JSON tab (Figure 31)
Figure 31
■ Create a new inline policy document by replacing the following fields (Figure 32)
– <YOUR_SQS_QUEUE_ARN_HERE>: Paste your SQS queue ARN here
– <YOUR_S3_BUCKET_ARN_HERE>: Paste your S3 ARN here
Inline Policy Document
{“Version”: “2012-10-17”,“Statement”: [ { “Action”: [ “sqs:DeleteMessage”, “sqs:DeleteMessageBatch”, “sqs:ReceiveMessage” ], “Effect”: “Allow”, “Resource”: “<YOUR_QUEUE_ARN_HERE>” }, { “Action”: [ “s3:GetObject” ], “Effect”: “Allow”, “Resource”: “<YOUR_S3_BUCKET_ARN_HERE>/*” } ]}
www.expel.io22
With our example values filled in:
{“Version”: “2012-10-17”,“Statement”: [ { “Action”: [ “sqs:DeleteMessage”, “sqs:DeleteMessageBatch”, “sqs:ReceiveMessage” ], “Effect”: “Allow”, “Resource”: “arn:aws:sqs:us-east-1:XXXXXXXXXXXX: ExpelMasterCloudTrailNotify” }, { “Action”: [ “s3:GetObject” ], “Effect”: “Allow”, “Resource”: “arn:aws:s3:::XXXX-global-cloud-trail/*” } ]
}
Figure 32
■ Paste the policy in the JSON tab and click Review Policy (Figure 33)
Figure 33
www.expel.io23
■ Name the inline policy “ExpelMasterCloudTrailPolicy” and click Create Policy (Figure 34)
Figure 34
Z . That’s it! Now you’re ready to integrate AWS with Expel Workbench . You can do this directly within Workbench following the steps below, or provide the following information to your Expel Engagement Manager or Customer Success Engineer .
■ SQS Region (ex: us-east-1)
■ Access Key
■ Secret Key
■ Authn type = basic
Step 3 — Configure AWS in Expel Workbench
Now that we have gathered all the needed information, we can integrate AWS with Expel .
Register device in Expel WorkbenchA . In a new browser tab, login to https://workbench .expel .io
B . Enter Security Code from Google Authenticator (two-factor authentication)
C . On the console page, navigate to Settings and click Security Devices
www.expel.io24
D . At the top right of the page, select Add Security Device (Figure 35)
Figure 35
E . Search for and select Amazon Multi-Tenant (Figure 36)
Figure 36
F . Select an Assembler from the drop down (Choose the Assembler you set up in Step 2 of the Getting Started with Expel guide)
G . Enter Assembler Name and Location (examples in Figure 37 for Steps F and G)
Figure 37
www.expel.io25
H . Figure 38 lists the fields that need to be completed in Workbench:
Field Description
SQS Region The AWS region in use (ex: us-east-1)
Access Key Access key for an IAM user with the required permissions
Secret Key Secret key for an IAM user with the required permissions
Authn type basic
Figure 38
I . Enter the data from the table above into the fields in Workbench as shown in Figure 39
Figure 39
J . Select Save
K . Backend configuration will take 30 minutes to complete; then refresh the Security Devices page and you should see your device status reporting as Healthy, or if there is an issue, it will provide more details of what the issue may be
L . To check and see if alerts are coming through, navigate to Alerts on the console page . Click the icon in the upper right to switch to grid view, then check the list for AWS alerts
That’s it. Give yourself a pat on the back — you’re done!If you have any issues, concerns, questions or feedback,
please don’t hesitate to contact Expel at devicehealth@expel .io .