Versions Compared

Version Old Version 5 New Version 6
Changes made by

KS

KS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Sign in to the AWS Management Console with Account A.

  2. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  3. Create a new stack by using one of the following options:

    1. Choose Create Stack This is the only option if you have a currently running stack. 

 

...

b. Choose Create Stack on the Stacks page. This option is visible only if you have no running stacks. 

4. Select With new resources (standard)

...

Option  

...

5.Create a stack page.

a. On Prerequisite - Prepare template, select Template is ready option

b. On Specify template, select Upload a template file

c. Choose File to select the template file CloudFormation.yaml. Once you have chosen your template, CloudFormation uploads the file and displays the S3 URL.

d. Click on Next

...

6. Specify the stack details

a. Type a stack name as per choice.

...

b. Parameters:§ 

  • CreateNewRole: If role with the name 'ACNMDRCrossAccountRole' does not exist and it needs to be created, select 'Yes'. Otherwise select 'No'

  • ACNMDRAwsAccountARN: Provide Accenture MDR Account ARN to create cross-account role

  • ACNMDRExternalId: External ID provided By Accenture MDR for the account. If it is not provided by Accenture MDR, Type External ID as per your choice, ex. <Customer account ID>

  • LoggingResource

a) S3Bucket: If data is going to be collected directly from S3 Bucket

b) SQS: If SQS is configured for S3 Bucket 

c) CloudWatchLog: Data collection from Cloud watch log group

  • PolicyName: It should be a unique policy name that has not been used previously to assign the policy to 'ACNMDRCrossAccountRole'. Recommended PolicyNames - CrossAccountPolicyFor<S3BucketName> or CrossAccountPolicyFor<SQSName> or CrossAccountPolicyFor<LogGroupName>

  • S3BucketARN: ARN of the S3 bucket from which logs are going to be collected. S3BucketARN is also required if LoggingResource is 'SQS'. Example Values - arn:aws:s3:::<BucketName> or arn:aws:s3:::<BucketName>/<PrefixPath>/. (Note: Keep S3BucketARN blank in case of 'CloudWatchLogs')

  • SQSOrCloudWatchLogGroupARN: Provide SQS or CloudWatchLogGroup ARN as per LoggingResource selection, SQSOrCloudWatchLogGroupARN required in case of LoggingResource is 'SQS' or 'CloudWatchLogs', (note: Keep SQSOrCloudWatchLogGroupARN blank if LoggingResource is 'S3Bucket')

c. Click on Next

...

7. In the Configure stack option, Add Tags and Permissions required as per the organization standards and nomenclature, or keep it unchanged and click on the Next button.

...

8. On the Review page, review the details of your stack, Please acknowledge the acknowledgment by clicking on the checkbox and click on Create stack button.

 

...

9. While your stack is being created, it would appear on the Stacks page with status as CREATE_IN_PROGRESS, after some time the status will change to CREATE_COMPLETE

10. Once Stack is created, Go to the Outputs tab, copy output values, and share values with Accenture MDR 

...

Note: CloudFormation template will create a new Role with the name "ACNMSSCrossAccountRole" and will attach read-only policies to the role for the resources that need to be monitored, Template also have the option to attach read-only resource policy to the preexisting role with the name "ACNMSSCrossAccountRole"

Below are the resource policies which will get attached to "ACNMSSCrossAccountRole" based on the logging resources selected in the template

 

Expand
titleIn case of S3 bucket
Code Block
{
"Effect": "Allow",
"Action": ["s3:ListBucket","s3:GetObject"],
"Resource": ["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"],
"Condition": {}
}
Expand
titleIn case of CloudWatch log groups
Code Block
{
"Effect": "Allow",
"Action": [
"logs:describeLogGroups",
"logs:describeLogStreams",
"logs:filterLogEvents",
"logs:getLogEvents"
],
"Resource": [
"arn:aws:logs:region:accountID:log-group:specificLogGroupName"
]
}
Expand
titleIn case of SQS
Code Block
{
“Action”: [
“sqs:GetQueueAttributes”,
“sqs:GetQueueUrl”,
“sqs:ReceiveMessage”,
“sqs:DeleteMessage”,
“sqs:ListQueues"
],
“Effect”: “Allow”,
“Resource”: “arn:aws:sqs:region:accountID:SQSName”
}

Note: In the case of SQS make sure you are creating and attaching SQS policy as well as S3 policy to the rule.

Configure IAM role in MDR SOC AWS account (Account B) to access customer resource (MDR Side Configuration)

...