Accenture MDR Quick Start Guide for Role Based Access Control in AWS Generic Sensor

Owned by KS
Last updated: Jul 08, 2022
6 min read

This quick start guide will help Accenture MDR customers configure Amazon Web Service (AWS) Role Based Access Control to allow log collection from the Log Collection Platform (LCP). 

The document includes the following topics:

Pre-requisites

  1. AWS users should have access to create, modify the IAM role.

  2. Get assumable role ARN from the Accenture MDR(device onboarding team) to configure it in the cloud formation template ACNMDRAwsAccountARN field.

Scope

  1. Log Collection using cross AWS account (Where LCP is hosted in MDR SOC AWS account and logging resource is in Customer AWS account)

Note:  Logging resources we support are S3 Bucket, SQS, and CloudWatch log

Log Collection using cross AWS account (Where LCP is hosted in MDR SOC AWS account and logging resource is in Customer AWS account)

Follow these steps:

  • Configure IAM role in customer AWS account (Account A) with appropriate permissions to the resource (customer side configuration)

  • Configure IAM role in MDR SOC AWS account (Account B) to access customer resource (MDR Side Configuration)

Configure role in customer AWS account (Account A) with appropriate permissions to the resource using  CloudFormation (customer side configuration)

  1. Sign in to the AWS Management Console with Account A.

  2. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  3. Create a new stack by using one of the following options:

    1. Choose Create Stack This is the only option if you have a currently running stack. 

 

b. Choose Create Stack on the Stacks page. This option is visible only if you have no running stacks. 

4. Select With new resources (standard) Option 

5.Create a stack page.

a. On Prerequisite - Prepare template, select Template is ready option

b. On Specify template, select Upload a template file

c. Choose File to select the template file cloudformation.yaml attached below. Once you have chosen your template, CloudFormation uploads the file and displays the S3 URL.

d. Click on Next

6. Specify the stack details

a. Type a stack name as per choice.

b. Parameters:

a) S3Bucket: If data is going to be collected directly from S3 Bucket

b) SQS: If SQS is configured for S3 Bucket 

c) CloudWatchLog: Data collection from Cloud watch log group

  • PolicyName: It should be a unique policy name that has not been used previously to assign the policy to 'ACNMDRCrossAccountRole'. Recommended PolicyNames - CrossAccountPolicyFor<S3BucketName> or CrossAccountPolicyFor<SQSName> or CrossAccountPolicyFor<LogGroupName>

  • S3BucketARN: ARN of the S3 bucket from which logs are going to be collected. S3BucketARN is also required if LoggingResource is 'SQS'. Example Values - arn:aws:s3:::<BucketName> or arn:aws:s3:::<BucketName>/<PrefixPath>/. (Note: Keep S3BucketARN blank in case of 'CloudWatchLogs')

  • SQSOrCloudWatchLogGroupARN: Provide SQS or CloudWatchLogGroup ARN as per LoggingResource selection, SQSOrCloudWatchLogGroupARN required in case of LoggingResource is 'SQS' or 'CloudWatchLogs', (note: Keep SQSOrCloudWatchLogGroupARN blank if LoggingResource is 'S3Bucket')

  • S3KMSKeyARN: Provide KMS Key ARN used to encrypt S3 Bucket (Note: Value required in case LoggingResource 'S3Bucket' or 'SQS' and s3 Bucket is encrypted)

  • SQSKMSKeyARN: Provide KMS Key ARN used to encrypt SQS (Note: Value required in case LoggingResource 'SQS' and sqs queue is encrypted)

  • SQSOrCloudWatchLogKMSKeyARN: Provide KMS Key ARN used to encrypt SQS queue or CloudWatch log group as per selected LoggingResource (Note: Value required in case of LoggingResource is 'SQS' or 'CloudWatchLog' and SQS queue or CloudWatch log group is encrypted)

c. Click on Next

7. In the Configure stack option, Add Tags and Permissions required as per the organization standards and nomenclature, or keep it unchanged and click on the Next button.

8. On the Review page, review the details of your stack, Please acknowledge the acknowledgment by clicking on the checkbox and click on Create stack button.

9. While your stack is being created, it would appear on the Stacks page with the status as CREATE_IN_PROGRESS, after some time the status will change to CREATE_COMPLETE

10. Once Stack is created, Go to the Outputs tab, copy output values, and share values with Accenture MDR. 

Note: CloudFormation template will create a new Role with the name "ACNMSSCrossAccountRole" and will attach read-only policies to the role for the resources that need to be monitored, Template also have the option to attach read-only resource policy to the preexisting role with the name "ACNMSSCrossAccountRole"

Below are the resource policies which will get attached to "ACNMSSCrossAccountRole" based on the logging resources selected in the template

 

{ "Effect": "Allow", "Action": ["s3:ListBucket","s3:GetObject"], "Resource": ["arn:aws:s3:::bucketname", "arn:aws:s3:::bucketname/*"], "Condition": {} }
{ "Effect": "Allow", "Action": [ "logs:describeLogGroups", "logs:describeLogStreams", "logs:filterLogEvents", "logs:getLogEvents" ], "Resource": [ "arn:aws:logs:region:accountID:log-group:specificLogGroupName" ] }
{ “Action”: [ “sqs:GetQueueAttributes”, “sqs:GetQueueUrl”, “sqs:ReceiveMessage”, “sqs:DeleteMessage”, “sqs:ListQueues" ], “Effect”: “Allow”, “Resource”: “arn:aws:sqs:region:accountID:SQSName” }

Note: In the case of SQS make sure you are creating and attaching SQS policy as well as S3 policy to the rule.

Configure IAM role in MDR SOC AWS account (Account B) to access customer resources (MDR Side Configuration)

 

  1. Sign in to the AWS Management Console with Account B

  2. Open the IAM console.

  3. From the navigation pane, choose Roles.

  4. Choose to Create role.

  5. For Select the type of trusted entity, choose AWS service.

  6. For Choose the service that will use this role, choose EC2

     

  7. Choose Next: Permissions.

  8. Choose Next: Tags.

  9. You can add optional tags to the role. Or, you can leave the fields blank, and then choose Next: Review.

  10. For the Role name, enter a name for the role.

  11. Choose to Create role.

  12. From the list of roles, choose the role that you just created.

  13. Choose to Add inline policy, and then choose the JSON view.

14.  Enter the following policy. Replace arn:aws:iam::111111111111:role/ROLENAME with the Role ARN shared by Customer AWS Account (Account A)

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Action": "sts:AssumeRole",

            "Resource": "arn:aws:iam::111111111111:role/ROLENAME"

        }

    ]

}

15. Choose Review policy.

16. For Name, enter a name for the policy.

17. Choose to Create policy.

18. Go back to AWS Management Console.

19. Open the EC2 Dashboard.

20. Go to Instances (running) if the LCP machine is running or else go to Instances, search for LCP instance, and start it.

21. Select an LCP instance, go to Actions→ Security→ Modify IAM role

22. Search for the IAM role that you have created earlier and click Save.

23. Go to the LCP UI and configure the appropriate collector using the below sensor configuration

Property

Value

Description

Secret Access ID

<Role ARN>

Configure Role ARN shared by the customer

Secret Access Key

<External ID>

Configure External id shared between Customer and Accenture

S3 Bucket/Log Group(s)/SQS Queue URL

<Resource Name>

Provide S3 bucket name, Log Group Name(s), or SQS URL based on logging source

Region

<Region>

Enter region (Eg: us-west-2)

Logging Source

<Select logging Source >

Select logging Source from dropdown S3, CloudWatch or SQS

Bucket Prefix Path(s)

<PrefixPath>

Incase of Logging Source as S3

example: /AWSLogs/Account-ID/CloudTrail/region,

 

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.