Real-Time Threat Configuration for AWS

Configuring Real-Time Threats

The steps explained in this user guide are for setting up real-time threat configuration for AWS. Users must perform the following steps in the AWS portal if they have Read permissions and no Write permissions.

  1. In the AWS portal, enable GuardDuty.

  2. Export GuardDuty findings to S3.
    a. Create a KMS Key. Refer to this link for more details: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
    b. Set the following tags:

    "corestack-system-manage": "true",
    "cs_account_id": <<<<service_account_id>>>>
    

    📘

    Note:

    Please reach out to your Customer Success representative to get the <<SERVICE_ACCOUNT_ID>>.

    c. Set the KMS Key Policy using the following code.

    {
      "Version": "2012-10-17",
      "Id": "cs-kmspolicy",
      "Statement": [
        {
          "Sid": "Enable IAM User Permissions",
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws_cloud_account_id>:root"
          },
          "Action": "kms:*",
          "Resource": "*"
        },
        {
          "Sid": "Allow GuardDuty to encrypt findings",
          "Effect": "Allow",
          "Principal": {
            "Service": "guardduty.amazonaws.com"
          },
          "Action": "kms:GenerateDataKey",
          "Resource": "*"
        }
      ]
    }
    

    d. Create an S3 Bucket and set the following tags:

    "corestack-system-manage": "true"
    "cs_account_id": <<<<service_account_id>>>>
    

    📘

    Note:

    Please reach out to your Customer Success representative to get the <<SERVICE_ACCOUNT_ID>>.

    e. Update the bucket with the following bucket policy details and replace {bucket_name} with the bucket name created in the previous step.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Allow GetBucketLocation",
      "Effect": "Allow",
      "Principal": {
        "Service": "guardduty.amazonaws.com"
        },
      "Action": "s3:GetBucketLocation",
      "Resource": "arn:aws:s3:::{bucket_name}"
    },
    {
      "Sid": "Allow PutObject",
      "Effect": "Allow",
      "Principal": {
        "Service": "guardduty.amazonaws.com"
        },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::{bucket_name}/*"
    },
    { 
      "Sid": "Deny unencrypted object uploads",
      "Effect": "Deny",
      "Principal": {
        "Service": "guardduty.amazonaws.com"
        },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::{bucket_name}/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
          }
        }
    },
    {
      "Sid": "Deny incorrect encryption header",
      "Effect": "Deny",
      "Principal": {
        "Service": "guardduty.amazonaws.com"
        },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::{bucket_name}/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption-aws-kms-key-id": kms_key_arn
          }
        }
    },
    { 
      "Sid": "Deny non-HTTPS access",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::{bucket_name}/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
  1. In S3, create the publishing destination to platform SNS using the details provided below.
    prefix: "AWSLogs/<AwsAccountId>/GuardDuty/"
    Event Types: Select All Object create Events.
    Destination: Select SNS
    Select Option to Enter SNS Topic ARN: <<<<Please reach out to your customer service representative to get the SNS topic ARN>>>>
    

To learn more about the detailed steps, refer to this link: <https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html>

  1. Create an IAM Role with a S3bucketName role.
  2. Update the below policy inline.
    {
     "Version": "2012-10-17",
     "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": <Enter ExternalId>
                  }
              },
          "Principal": {
            "AWS": "arn:aws:iam::<Platform Account ID>:root"
              }
        }
      ]
    }
    

📘

Note:

Please connect with your Customer Success representative to get the External ID and Platform Account ID.

  1. Login to the platform and go to the Cloud Account Governance settings page.
    a. To configure Threat Real Time Sync, click Configure. A dialog box displays.
    b. In the Select Region list, click to select the region where the configuration needs to be made, and then click Ok.
    c. Click Validate. If there are no errors, then go to next step, otherwise click Re-Validate. Select/enter the relevant details and validate. Upon successful validation, the configuration can be saved.
    d. Click Save & Exit.