Versions Compared

Version Old Version 8 New Version 9
Changes made by

KS

KS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. AWS users should have access to create, modify the IAM role.

  2. AWS users should have access to assign a role to EC2 instance (LCP).

Scope

  1. Log Collection within same AWS account (Where LCP and logging resource(s) are in the same AWS account) (Mainly used for MDR self-monitoring)Log Collection using cross AWS account (Where LCP is hosted in MDR SOC AWS account and logging resource is in Customer AWS account)

Note:  Logging resources we support are S3 Bucket, SQS, and CloudWatch log

...

Log Collection

...

  1. Sign in to the AWS Management Console.

  2. Open the AWS Identity and Access Management (IAM) console.

  3. In the navigation pane, choose Roles.

  4. Select Create role

  5. For Select type of trusted entity, choose AWS service and EC2 from Choose a use case

...

6. Click Next: Permissions at the bottom

7. Choose Create policy

8. Choose the JSON tab

9. Type or paste below JSON policy. Make sure you are replacing the resource name. 

...

titleIncase of S3 Bucket
Code Block
{
"Effect": "Allow",
"Action": ["s3:ListBucket","s3:GetObject"],
"Resource": ["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"],
"Condition": {}
}

...

titleIn case of CloudWatch log groups
Code Block
{
"Effect": "Allow",
"Action": [
"logs:describeLogGroups",
"logs:describeLogStreams",
"logs:filterLogEvents",
"logs:getLogEvents"
],
"Resource": [
"arn:aws:logs:region:accountID:log-group:specificLogGroupName"
]
}
Expand
titleIn case of SQS

Code Block
{
“Action”: [
“sqs:GetQueueAttributes”,
“sqs:GetQueueUrl”,
“sqs:ReceiveMessage”,
“sqs:DeleteMessage”,
“sqs:ListQueues"
],
“Effect”: “Allow”,
“Resource”: “arn:aws:sqs:region:accountID:SQSName”
}

Note: In the case of SQS make sure you are creating and attaching the SQS policy as well as the S3 policy to the rule.

10. Click Next: Tags at the bottom.

11. Add a tag to the policy (Optional)

12. Click Next: Review

13. Give appropriate name to policy, review it, and Click Create policy.

14. Search the same policy name into the Search text box under Attach permissions policies and select it and Click Next: Tags

...

16. Give appropriate name to the Role, review it, and Click Create role.

17. Go back to AWS Management Console.

18. Open the EC2 Dashboard.

19. Go to Instances (running) if the LCP machine is running or else go to Instances, search for LCP instance and start it.

...

21. Search for the IAM role that you have created earlier and click Save.

...

22.  Go to the LCP UI and configure the appropriate collector using below sensor configuration

...

Property

...

Value

...

Description

...

Secret Access Key

...

na

...

Configure it as ”na”

...

Secret Access ID

...

na

...

Configure it as ”na”

...

S3 Bucket/Log Group(s)/SQS Queue URL

...

<Resource Name>

...

Provide S3 bucket name, Log Group Name(s)  or SQS URL based on logging source

...

Region

...

<Region>

...

Enter region (E.g.: us-west-2)

...

Logging Source

...

<Select logging Source>

...

Select logging Source from dropdown S3, CloudWatch or SQS

...

Bucket Prefix Path(s)

...

<PrefixPath>

...

Incase of Logging Source as S3

example: /AWSLogs/Account-ID/CloudTrail/region,

...

using cross AWS account (Where LCP is hosted in MDR SOC AWS account and logging resource is in Customer AWS account)

Follow these steps:

  • Configure IAM role in customer AWS account (Account A) with appropriate permissions to the resource (customer side configuration)

  • Configure IAM role in MDR SOC AWS account (Account B) to access customer resource (MDR Side Configuration)

...