AWS CloudTrail

Set up the AWS CloudTrail connector.

In this guide, you will configure AWS CloudTrail to forward events and alerts to Radiant Security. CloudTrail logs API activity across your AWS environment.

This guide assumes a clean slate: the service is currently not enabled. If your environment already uses CloudTrail, you can skip some steps. However, make sure to review all Important note callouts to ensure your configuration meets Radiant’s integration requirements.

Important note: These highlight important configuration details necessary for the setup to function properly. Adjust your environment accordingly.

Prerequisites

This configuration requires the following:

Configuration in AWS

Before configuring the connector on the Radiant Security app, you must set up CloudTrail and create an IAM Role on AWS.

Create and configure AWS CloudTrail

Amazon CloudTrail is a service provided by AWS that allows you to enable logging of AWS API calls. This is useful for auditing, compliance, and security purposes. Below are the general steps for creating and configuring AWS CloudTrail.

Note: The ARN of S3, SNS, and KMS (if enabled) will be used when configuring the IAM role and the Radiant Security connector. Be sure to copy and store those values.

Note: You need to perform this step using the Management Account for the AWS Organizations or use an account that is Delegated Administrator for AWS Organizations. Otherwise the checkbox Enable for all accounts in my organization won't be available.

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudTrail.

  3. On the CloudTrail service home page, select Create trail.

  4. In the Choose trail attributes page, configure the trail with the following required settings:

    • Enter a name for your trail. We suggest management-events.

    • Select the Enable for all accounts in my organization checkbox. This will gather logs from all accounts. This option is available only to administrator accounts.

    • For Storage location, choose where to store the logs. You can create a new S3 bucket or use an existing bucket.

    • Optionally, if you'd like to enable log encryption select the checkbox for Log file SSE-KMS encryption. Choose to set a New KMS alias. We suggest naming it: cloudtrail-log-encryption.

    • Under Additional settings, enable the SNS notification delivery by selecting the checkbox. Choose to use a New SNS.

Important note: Ensure that the checkbox titled Enable for all accounts in my organization is selected and enabled. If you choose to use an existing S3 bucket, KMS or SNS topic, make sure that they have the correct policies set to allow CloudTrail to perform necessary actions such as encrypting S3 files and publishing to the SNS topic.

By creating those resources during this configuration, AWS will take care of those permissions.

  1. Now, you'll need to configure the log events:

  • On the Choose log events page, under Events select the Management events and Data events checkboxes. While selecting Data events is optional, we recommend enabling it to improve RCA/Investigation.

  • For Management events, under API activity select the Read and Write checkboxes.

  • For Data events, Under Data event type select S3 from the drop-down. In the Log selector template select Log all events from the drop-down. Alternatively, you can select the specific events from S3 you want to monitor.

  1. Review the settings you've chosen for your trail. When you're ready to create your trail, click Create trail.

Tip: For more details on how to create a trail, you can review the AWS documentation on creating a trail.

Create the credentials and enable the data connector

Next, you'll add the necessary credentials and enable the AWS data connector so that Radiant Security can automatically subscribe to the SNS topic and collect the CloudTrail. The following steps outline how to add the credentials and enable the data connector.

  1. Log in to Radiant Security.

  2. Navigate to Settings on the sidebar.

  3. From the navigation menu, click Settings > Services > Credentials.

  4. Click + Add Credential.

  5. From the list of credentials, select Amazon Web Services and click Credentials.

  6. Enter a Credential Name and fill in all of the fields with the respective values. Add the following values you saved from the previous steps:

    • SNS Topic Name for CloudTrail

  7. Return to the Settings page and click Data Connectors.

  8. Click + Add Connector.

  9. Search for and select the Amazon Web Services option and then click Data Feeds.

  10. Select Amazon Web Services CloudTrail.

  11. Select the credentials of this vendor from the drop-down.

  12. Click Add Connector to save the connector.

  13. Return to the Settings page. In Data Connectors, search for Amazon Web Services.

  14. Click View Details and copy the AWS External Role ID. You'll use this value for the creation of the IAM role in the upcoming steps.

Note: Save the AWS External Role ID to use in the upcoming steps for IAM roles. You'll replace the variable ${RS_CREDENTIAL_ID} on the Custom trust policy with this ID.

Create and configure the IAM roles

Finally, you’ll create and configure an Identity and Access Management (IAM) role in AWS roles to grant permissions to Radiant Security to access AWS resources. The following steps outline how to create and configure an IAM role.

Note: The main account role must be configured on the account that will centralize the logs.

Note: Only add the KMS keys used for encryption in the last part. We must remove the last object if we do not use any KMS in the resources.

Note: For each account grouped under this main account, you must create and add an Arn Role to the last statement. Instructions for creating these roles are described in the next step Create and configure an IAM Role (Other accounts).

  1. Sign in to the AWS Management Console on the main account.

  2. Navigate to IAM.

  3. Select Policies and click Create Policy.

  4. For Specify Permission, select the JSON format and use the JSON below:

Important Note: Replace all the variables with the ARN values that you copied and saved throughout the onboarding.

  1. Enter a Policy name, review the settings, and create the policy.

  1. On the Roles page, and click Create role.

  2. On the Select trusted entity page, select the following:

  • For Trusted entity type, select Custom trust policy to allow Radiant Security to use this role to access the account.

  • For Custom trust policy, in the text box, add the following JSON, making sure to replace ${RS_CREDENTIAL_ID} with the value provided in Radiant Security connector’s page:

This line: "AWS": "arn:aws:sts::649384204969:assumed-role/tenant-aws-access-role/radiant-security" might be highlighted as an error in the AWS console. However, you can still save and use this policy.

  1. On the Add permissions page, find and select the policy for the role.

  1. Set the name to be radiant-aws-access-role, review and save the role.

Note: Our platform enforces that role name. This is for enhanced security.

Permissions

S3

s3:Get*

All

CloudTrail

Allows access to files and information from buckets.

S3

s3:List*

All

CloudTrail

Allow a list of all buckets and files.

SNS

sns:Subscribe

Main

CloudTrail

Allow our queue to subscribe on SNS.

SNS

sns:Unsubscribe

Main

CloudTrail

Allow our queue to unsubscribe on SNS.

SNS

sns:ConfirmSubscription

Main

CloudTrail

Allow your system to confirm the subscription.

KMS

kms:Decrypt

Main

CloudTrail

Allow to get the key and decrypt log files.

STS

sts:AssumeRole

Main

CloudTrail

Allow assuming a role in other accounts in the organization.

PreviousAvanan Checkpoint WebhookNextAzure Activities

Last updated