Versions Compared

Version Old Version 7 New Version Current
Changes made by

KS

KS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. AWS users should have access to create, modify the IAM role.AWS users should have access to assign a role to EC2 instance (LCP)

  2. Get assumable role ARN from the Accenture MDR(device onboarding team) to configure it in the cloud formation template ACNMDRAwsAccountARN field.

Scope

  1. Log Collection within same AWS account (Where LCP and logging resource(s) are in the same AWS account) (Mainly used for MDR self-monitoring)Log Collection using cross AWS account (Where LCP is hosted in MDR SOC AWS account and logging resource is in Customer AWS account)

Note:  Logging resources we support are S3 Bucket, SQS, and CloudWatch log

...

Log Collection

...

  1. Sign in to the AWS Management Console.

  2. Open the AWS Identity and Access Management (IAM) console.

  3. In the navigation pane, choose Roles.

  4. Select Create role

  5. For Select type of trusted entity, choose AWS service and EC2 from Choose a use case

...

6. Click Next: Permissions at the bottom

7. Choose Create policy

8. Choose the JSON tab

9. Type or paste below JSON policy. Make sure you are replacing the resource name. 

...

titleIncase of S3 Bucket
Code Block
{
"Effect": "Allow",
"Action": ["s3:ListBucket","s3:GetObject"],
"Resource": ["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"],
"Condition": {}
}

...

titleIn case of CloudWatch log groups
Code Block
{
"Effect": "Allow",
"Action": [
"logs:describeLogGroups",
"logs:describeLogStreams",
"logs:filterLogEvents",
"logs:getLogEvents"
],
"Resource": [
"arn:aws:logs:region:accountID:log-group:specificLogGroupName"
]
}
Expand
titleIn case of SQS

Code Block
{
“Action”: [
“sqs:GetQueueAttributes”,
“sqs:GetQueueUrl”,
“sqs:ReceiveMessage”,
“sqs:DeleteMessage”,
“sqs:ListQueues"
],
“Effect”: “Allow”,
“Resource”: “arn:aws:sqs:region:accountID:SQSName”
}

Note: In the case of SQS make sure you are creating and attaching the SQS policy as well as the S3 policy to the rule.

10. Click Next: Tags at the bottom.

11. Add a tag to the policy (Optional)

12. Click Next: Review

13. Give appropriate name to policy, review it, and Click Create policy.

14. Search the same policy name into the Search text box under Attach permissions policies and select it and Click Next: Tags

...

16. Give appropriate name to the Role, review it, and Click Create role.

17. Go back to AWS Management Console.

18. Open the EC2 Dashboard.

19. Go to Instances (running) if the LCP machine is running or else go to Instances, search for LCP instance and start it.

...

21. Search for the IAM role that you have created earlier and click Save.

...

using

...

Property

...

Value

...

Description

...

Secret Access Key

...

na

...

Configure it as ”na”

...

Secret Access ID

...

na

...

Configure it as ”na”

...

S3 Bucket/Log Group(s)/SQS Queue URL

...

<Resource Name>

...

Provide S3 bucket name, Log Group Name(s)  or SQS URL based on logging source

...

Region

...

<Region>

...

Enter region (E.g.: us-west-2)

...

Logging Source

...

<Select logging Source>

...

Select logging Source from dropdown S3, CloudWatch or SQS

...

Bucket Prefix Path(s)

...

<PrefixPath>

...

Incase of Logging Source as S3

example: /AWSLogs/Account-ID/CloudTrail/region,

...

cross AWS account (Where LCP is hosted in MDR SOC AWS account and logging resource is in Customer AWS account)

Follow these steps:

  • Configure IAM role in customer AWS account (Account A) with appropriate permissions to the resource (customer side configuration)

  • Configure IAM role in MDR SOC AWS account (Account B) to access customer resource (MDR Side Configuration)

...

c. Choose File to select the template file CloudFormationcloudformation.yaml attached below. Once you have chosen your template, CloudFormation uploads the file and displays the S3 URL.

View file
nameCloudFormation.yaml

d. Click on Next

...

6. Specify the stack details

...

b. Parameters:

  • CreateNewRole: If a role with the name 'ACNMDRCrossAccountRole' does not exist and it needs to be created, select 'Yes'. Otherwise select 'No'

  • ACNMDRAwsAccountARN: Provide Accenture MDR Account ARN to create cross-account roleassumable role ARN collected from the Accenture MDR device onboarding team(Accenture MDR assumable role will be used to create trust relation with customer role)

  • ACNMDRExternalId: Provide an External ID provided By Accenture MDR for the account. If it is not provided by Accenture MDR, Type External ID as per your choice, ex. <Customer account ID>Make sure external id matches the pattern:[\w+=,.@:\/-]* as per the AWS document: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

  • LoggingResource

a) S3Bucket: If data is going to be collected directly from S3 Bucket

...

  • PolicyName: It should be a unique policy name that has not been used previously to assign the policy to 'ACNMDRCrossAccountRole'. Recommended PolicyNames - CrossAccountPolicyFor<S3BucketName> or CrossAccountPolicyFor<SQSName> or CrossAccountPolicyFor<LogGroupName>

  • S3BucketARN: ARN of the S3 bucket from which logs are going to be collected. S3BucketARN is also required if LoggingResource is 'SQS'. Example Values - arn:aws:s3:::<BucketName> or arn:aws:s3:::<BucketName>/<PrefixPath>/. (Note: Keep S3BucketARN blank in case of 'CloudWatchLogs')

  • SQSOrCloudWatchLogGroupARN: Provide SQS or CloudWatchLogGroup ARN as per LoggingResource selection, SQSOrCloudWatchLogGroupARN required in case of LoggingResource is 'SQS' or 'CloudWatchLogs', (note: Keep SQSOrCloudWatchLogGroupARN blank if LoggingResource is 'S3Bucket')

  • S3KMSKeyARN: Provide KMS Key ARN used to encrypt S3 Bucket (Note: Value required in case LoggingResource 'S3Bucket' or 'SQS' and s3 Bucket is encrypted)

  • SQSKMSKeyARN: Provide KMS Key ARN used to encrypt SQS (Note: Value required in case LoggingResource 'SQS' and sqs queue is encrypted)

  • SQSOrCloudWatchLogKMSKeyARN: Provide KMS Key ARN used to encrypt SQS queue or CloudWatch log group as per selected LoggingResource (Note: Value required in case of LoggingResource is 'SQS' or 'CloudWatchLog' and SQS queue or CloudWatch log group is encrypted)

c. Click on Next

...

7. In the Configure stack option, Add Tags and Permissions required as per the organization standards and nomenclature, or keep it unchanged and click on the Next button.

...

8. On the Review page, review the details of your stack, Please acknowledge the acknowledgment by clicking on the checkbox and click on Create stack button.

 

...

9. While your stack is being created, it would appear on the Stacks page with the status as CREATE_IN_PROGRESS, after some time the status will change to CREATE_COMPLETE

...

Expand
titleIn case of SQS
Code Block
{
“Action”: [
“sqs:GetQueueAttributes”,
“sqs:GetQueueUrl”,
“sqs:ReceiveMessage”,
“sqs:DeleteMessage”,
“sqs:ListQueues"
],
“Effect”: “Allow”,
“Resource”: “arn:aws:sqs:region:accountID:SQSName”
}

Note: In the case of SQS make sure you are creating and attaching SQS policy as well as S3 policy to the rule.

Configure IAM role in MDR SOC AWS account (Account B) to access customer

...

resources (MDR Side Configuration)

  1. Sign in to the AWS Management Console with Account B

  2. Open the IAM console.

  3. From the navigation pane, choose Roles.

  4. Choose to Create role.

  5. For Select the type of trusted entity, choose AWS service.

  6. For Choose the service that will use this role, choose EC2

  7. Choose Next: Permissions.

  8. Choose Next: Tags.

  9. You can add optional tags to the role. Or, you can leave the fields blank, and then choose Next: Review.

  10. For the Role name, enter a name for the role.

  11. Choose to Create role.

  12. From the list of roles, choose the role that you just created.

  13. Choose to Add inline policy, and then choose the JSON view.

...

23. Go to the LCP UI and configure the appropriate collector using the below sensor configuration

...