Set up AWS CloudTrail and GuardDuty connectors.
Overview
Radiant Security utilizes AWS CloudTrail and GuardDuty as sources of events and alerts, ensuring a proactive approach to triaging and investigating alerts within AWS cloud environments. CloudTrail records API actions while GuardDuty actively monitors for threats.
You'll need to complete the following configuration requirements:
- Create and configure AWS CloudTrail
- Create and configure Amazon GuardDuty
- Create the credentials and enable the data connector
- Create an configure the IAM roles
- Optional: Export GuardDuty logs to the main account bucket
- Recommended: Test GuardDuty integration with Radiant Security
Prerequisites
This configuration requires the following:
- AWS user permissions to create and update the following resources: IAM, CloudTrail, GuardDuty, SNS, and KMS.
- Group all CloudTrail Logs into one account for event collection.
- Place all GuardDuty alerts across all of the monitored accounts into a single S3 bucket. For more information on how to manage multiple accounts in Amazon GuardDuty, please visit this page.
Configuration in AWS
Before configuring the connector on the Radiant Security app, you must set up CloudTrail and GuardDuty and create an IAM Role on AWS.
Create and configure AWS CloudTrail
Amazon CloudTrail is a service provided by AWS that allows you to enable logging of AWS API calls. This is useful for auditing, compliance, and security purposes. Below are the general steps for creating and configuring AWS CloudTrail.
Tip: If you're using an existing CloudTrail configuration, you can edit it and proceed to step 4.
Note: Save the SNS name as you'll need it to create the connector at a later step.
Note: The ARN of S3, SNS, and KMS (if enabled) will be used when configuring the IAM role.
Note: You need to perform this step using the Management Account for the AWS Organizations or use an account that is Delegated Administrator for AWS Organizations. Otherwise the checkbox Enable for all accounts in my organization won't be available.
-
Sign in to the AWS Management Console.
-
Navigate to CloudTrail.
-
On the CloudTrail service home page, select Create trail.
-
In the Choose trail attributes page, configure the trail with the following required settings:
-
Enter a name for your trail.
-
Select the Enable for all accounts in my organization checkbox. This will gather logs from all accounts. This option is available only to administrator accounts.
-
For Storage location, choose where to store the logs. You can create a new S3 bucket or use an existing bucket.
-
Optionally, if you'd like to enable log encryption select the checkbox for Log file SSE-KMS encryption. Choose to set a New KMS alias.
-
Examples of policy:
{
"Version":"2012-10-17",
"Id":"Key policy created by CloudTrail",
"Statement":[
{
"Sid":"Enable IAM User Permissions",
"Effect":"Allow",
"Principal":{
"AWS":[
"arn:aws:iam::${AWS_ACCOUNT_ID}:root"
]
},
"Action":"kms:*",
"Resource":"*"
},
{
"Sid":"Allow CloudTrail to encrypt logs",
"Effect":"Allow",
"Principal":{
"Service":"cloudtrail.amazonaws.com"
},
"Action":"kms:GenerateDataKey*",
"Resource":"*",
"Condition":{
"StringEquals":{
"aws:SourceArn":"arn:aws:cloudtrail:${REGION}:${AWS_ACCOUNT_ID}:trail/${TRAIL_NAME}"
},
"StringLike":{
"kms:EncryptionContext:aws:cloudtrail:arn":"arn:aws:cloudtrail:*:${AWS_ACCOUNT_ID}:trail/*"
}
}
},
{
"Sid":"Allow CloudTrail to describe key",
"Effect":"Allow",
"Principal":{
"Service":"cloudtrail.amazonaws.com"
},
"Action":"kms:DescribeKey",
"Resource":"*"
},
{
"Sid":"Allow principals in the account to decrypt log files",
"Effect":"Allow",
"Principal":{
"AWS":"*"
},
"Action":[
"kms:Decrypt",
"kms:ReEncryptFrom"
],
"Resource":"*",
"Condition":{
"StringEquals":{
"kms:CallerAccount":"${AWS_ACCOUNT_ID}"
},
"StringLike":{
"kms:EncryptionContext:aws:cloudtrail:arn":"arn:aws:cloudtrail:*:${AWS_ACCOUNT_ID}:trail/*"
}
}
},
{
"Sid":"Allow alias creation during setup",
"Effect":"Allow",
"Principal":{
"AWS":"*"
},
"Action":"kms:CreateAlias",
"Resource":"*",
"Condition":{
"StringEquals":{
"kms:ViaService":"ec2.us-west-2.amazonaws.com",
"kms:CallerAccount":"${AWS_ACCOUNT_ID}"
}
}
},
{
"Sid":"Enable cross account log decryption",
"Effect":"Allow",
"Principal":{
"AWS":"*"
},
"Action":[
"kms:Decrypt",
"kms:ReEncryptFrom"
],
"Resource":"*",
"Condition":{
"StringEquals":{
"kms:CallerAccount":"${AWS_ACCOUNT_ID}"
},
"StringLike":{
"kms:EncryptionContext:aws:cloudtrail:arn":"arn:aws:cloudtrail:*:${AWS_ACCOUNT_ID}:trail/*"
}
}
}
]
}
-
-
Under Additional settings, enable the SNS notification delivery by selecting the checkbox. Choose to use a New SNS.
-
Examples of policy:
{
"Version":"2008-10-17",
"Id":"__default_policy_ID",
"Statement":[
{
"Sid":"__default_statement_ID",
"Effect":"Allow",
"Principal":{
"AWS":"*"
},
"Action":[
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish"
],
"Resource":"arn:aws:sns:${REGION}:${AWS_ACCOUNT_ID}:${SNS_NAME}",
"Condition":{
"StringEquals":{
"AWS:SourceOwner":"${AWS_ACCOUNT_ID}"
}
}
},
{
"Sid":"AWSCloudTrailSNSPolicy20150319",
"Effect":"Allow",
"Principal":{
"Service":"cloudtrail.amazonaws.com"
},
"Action":"SNS:Publish",
"Resource":"arn:aws:sns:${REGION}:${AWS_ACCOUNT_ID}:${SNS_NAME}",
"Condition":{
"StringEquals":{
"aws:SourceArn":"arn:aws:cloudtrail:${REGION}:${AWS_ACCOUNT_ID}:trail/${TRAIL_NAME}"
}
}
}
]
}
-
-
- Now, you'll need to configure the log events:
- On the Choose log events page, under Events select the Management events and Data events checkboxes. While selecting Data events is optional, we recommend enabling it to improve RCA/Investigation.
- For Management events, under API activity select the Read and Write checkboxes.
- For Data events, Under Data event type select S3 from the drop-down. In the Log selector template select Log all events from the drop-down. Alternatively, you can select the specific events from S3 you want to monitor.
- On the Choose log events page, under Events select the Management events and Data events checkboxes. While selecting Data events is optional, we recommend enabling it to improve RCA/Investigation.
- Review the settings you've chosen for your trail. When you're ready to create your trail, click Create trail.
Tip: For more details on how to create a trail, you can review the AWS documentation on creating a trail.
Create and configure Amazon GuardDuty
Amazon GuardDuty is a managed threat detection service that continuously monitors malicious or unauthorized activities in your AWS environment. The following steps outline how to create and configure Amazon GuardDuty.
- Sign in to the AWS Management Console.
- Navigate to S3 and create a bucket to store all logs (AWS Tutorial). Store the S3 ARN as you will use in GuardsDuty settings.
- Navigate to KMS and create a key to cipher all logs (AWS Tutorial). Store the KMS key ARN as you will use in GuardsDuty settings.
- Navigate to GuardDuty.
- Click Enable GuardDuty.
- In the navigation pane, click S3 Protection and choose Enable to enable S3 monitoring.
- Navigate to Settings to configure the Findings export options.
- For Edit frequency to publish updated findings, select 15 minutes. Click Save changes.
- For the Edit S3 bucket, add the S3 bucket ARN, and the KSM key ARN was created. GuardDuty enforces log encryption using KMS. Note that you must follow the AWS instructions to attach the policy on the S3 bucket and the KMS key described in the second box on this page.
- For Edit frequency to publish updated findings, select 15 minutes. Click Save changes.
-
Navigate to SNS and create a new Topic with Standard type. (AWS Tutorial for creating an SNS).
-
On the topic page, you must configure the Access Policy to allow the S3 to publish the events on the SNS.
-
This is an example of the policy:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "arn:aws:sns:${REGION}:${AWS_ACCOUNT_ID}:${SNS_NAME}",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "${AWS_ACCOUNT_ID}"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "${AWS_ACCOUNT_ID}"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::*"
}
}
}
]
}
-
-
Navigate to S3 and open the bucket configured on GuardDuty.
-
Navigate to the bucket properties.
-
Find the Event notifications section and click Create event notification.
- On the Create event notification page, configure the notification with the following settings:
- For Event name, enter a name for the event notification.
- For Event types, under Object creation, select All object create events.
- For Destination, select the SNS topic and add the SNS topic that was created.
- Review and save the settings you've chosen.
Note: The KMS ARN will be used to configure the IAM role.
Note: Save the SNS name as you'll need it to create the connector at a later step.
Create the credentials and enable the data connector
Next, you'll add the necessary credentials and enable the AWS data connector so that Radiant Security can automatically subscribe to both SNS topics and collect the CloudTrail and GuardDuty logs. The following steps outline how to add the credentials and enable the data connector.
- Log in to Radiant Security.
- Navigate to Settings on the sidebar.
- From the navigation menu, click Settings > Services > Credentials.
- Click + Add Credential.
- From the list of credentials, select Amazon Web Services and click Credentials.
.png?width=500&height=418&name=Captura%20de%20Tela%202024-02-27%20%C3%A0s%2014.02.56%20(1).png)
- Enter a Credential Name and fill in all of the fields with the respective values. Add the following values you saved from the previous steps:
- SNS Topic Name for GuardDuty
- SNS Topic Name for CloudTrail
- Return to the Settings page and click Data Connectors.
- Click + Add Connector.
- Search for and select the Amazon Web Services option and then click Data Feeds.
- Select Amazon Web Services CloudTrail and Amazon Web Services GuardDuty.
- Select the credentials of this vendor from the drop-down.
- Click Add Connector to save the connector.
- Return to the Settings page. In Data Connectors, search for Amazon Web Services.
- Click View Details and copy the AWS External Role ID. You'll use this value for the creation of the IAM role in the upcoming steps.
Note: Save the AWS External Role ID to use in the upcoming steps for IAM roles. You'll replace the variable ${RS_CREDENTIAL_ID} on the Custom trust policy with this ID.
Create an configure the IAM roles
Finally, you’ll create and configure an Identity and Access Management (IAM) role in AWS roles to grant permissions to Radiant Security to access AWS resources. The following steps outline how to create and configure an IAM role.
Create and configure an IAM Role (Main account)
Note: The main account role must be configured on the account that will centralize the logs.
Note: Only add the KMS keys used for encryption in the last part. We must remove the last object if we do not use any KMS in the resources.
Note: For each account grouped under this main account, you must create and add an Arn Role to the last statement. Instructions for creating these roles are described in the next step Create and configure an IAM Role (Other accounts).
- Sign in to the AWS Management Console on the main account.
- Navigate to IAM.
- Select Policies and click Create Policy.
- For Specify Permission, select the JSON format and use the JSON below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListAndGetAllLogFiles",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:s3:::*/*"
]
},
{
"Sid": "AllowManagingSNSTopicSubscriptions",
"Effect": "Allow",
"Action": [
"sns:Subscribe",
"sns:Unsubscribe",
"sns:ConfirmSubscription"
],
"Resource": [
"arn:aws:sns:${REGION}:${AWS_ACCOUNT_ID}:${SNS_NAME_CLOUD_TRAIL}",
"arn:aws:sns:${REGION}:${AWS_ACCOUNT_ID}:${SNS_NAME_GUARD_DUTY}"
]
},
{
"Sid": "EnableCrossAccountLogDecryption",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:${REGION}:${AWS_ACCOUNT_ID}:key/${KMS_KEY_CLOUD_TRAIL}",
"arn:aws:kms:${REGION}:${AWS_ACCOUNT_ID}:key/${KMS_KEY_GUARD_DUTY}"
]
},
{
"Sid": "AllowAssumeARoleInAnotherOrganizationAccount",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ROLES_NAME}",
...,
...
]
},
{
"Sid": "Statement5",
"Effect": "Allow",
"Action": [
"organizations:ListPolicies",
"organizations:DescribePolicy",
"organizations:ListPoliciesForTarget",
"organizations:DescribeResourcePolicy",
"organizations:DescribeOrganization"
],
"Resource": [
"*"
]
}
]
}- Replace all values in JSON with the correct value:
- REGION
- AWS_ACCOUNT_ID
- SNS_NAME_CLOUD_TRAIL
- SNS_NAME_GUARD_DUTY
- KMS_KEY_CLOUD_TRAIL
- KMS_KEY_GUARD_DUTY
- Note that the policy statement “Allow assume a role in another organization account” is required only if you have more than one account.
- Replace all values in JSON with the correct value:
- Enter a Policy name, review the settings, and create the policy.
- On the Roles page, and click Create role.
- On the Select trusted entity page, select the following:
- For Trusted entity type, select Custom trust policy to allow Radiant Security to use this role to access the account.
-
For Custom trust policy, in the text box, add the following JSON:
Replace RS_CREDENTIAL_ID with the AWS External Role ID created previously on the Radiant Connector setup.{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AssumeRadiantSecurity",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::649384204969:assumed-role/tenant-aws-access-role/radiant-security"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "${RS_CREDENTIAL_ID}"
}
}
}
]
}
- For Trusted entity type, select Custom trust policy to allow Radiant Security to use this role to access the account.
- On the Add permissions page, find and select the policy for the role.
-
Set the name to be same used on the Radiant Connector Assume Role Name field, review and save the role.
Note: Our platform enforces that role name. This is for enhanced security.
Create and configure an IAM Role (Other accounts)
Note: This step needs to be repeated on each account that sends logs to the main account.
-
Sign in to the AWS Management Console.
-
Navigate to IAM.
-
Select Policies from the sidebar and click on Create Policy.
-
On the Specify Permission, select the JSON format and use the JSON below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow list and get infos of S3",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:s3:::*/*"
]
},
} -
Give a name, review and create the policy.
.png?width=626&height=455&name=Screenshot%202024-01-16%20at%2015.57.51%20(1).png)
- Move to Roles page and click on Create role.
- Add a trust policy to allow the Radiant to use this role to access the account.
- Select Custom trust policy.
.png?width=688&height=504&name=Screenshot%202024-01-16%20at%2015.42.47%20(1).png)
- In the text box of the Custom trust policy, add the following JSON snippet:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AssumeRadiantSecurity",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${Assume_Role_Name}"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "${RS_CREDENTIAL_ID}"
}
}
}
]
}
- Select Custom trust policy.
Note: Replace the ${AWS_ACCOUNT_ID} variable with the account ID that groups all logs.
8. On the Add permissions page, find and select the policy for the role.
.png?width=688&height=170&name=Screenshot%202024-01-16%20at%2015.52.51%20(1).png)
9. Enter a Role name, review the settings and save the role.
.png?width=688&height=258&name=Screenshot%202024-01-16%20at%2015.53.41%20(1).png)
10. Copy the Roles ARN and add it to the resources in the assumeRole statement for the main account role on step 4 of the section titled Create and configure and IAM Role (Main account) for each account in the Resource field like the snippet below highlights.
{
"Sid": "Allow assume a role in another organization account",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ROLES_NAME}",
...,
...
]
}Optional: Export GuardDuty logs to the main account bucket
In this section, you’ll export GuardDuty logs to the main account bucket. This section is marked as optional because you may have already done this.
- For each sub account with its own GuardDuty, extract the detector identifier for each account. This is found on the GuardDuty > Settings page.
- In the main account S3 bucket, edit the Bucket policy and add the following permissions, filling in the SourceARN for each GuardDuty detector:
{
"Sid": "Allow PutObject All GuardDuty",
"Effect": "Allow",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::/*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:SourceArn": [
"arn:aws:guardduty:::detector/",
"arn:aws:guardduty:::detector/",
...
]
}
}
},
{
"Sid": "Allow GetBucketLocation All GuardDuty",
"Effect": "Allow",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::/*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:SourceArn": [
"arn:aws:guardduty:::detector/",
"arn:aws:guardduty:::detector/",
...
]
}
}
} - In the main KMS account, edit the permissions for the KMS configured to encrypt the S3 bucket files. Add the following, filling in the ARN for each GuardDuty detector:
{
"Sid": "Allow GuardDuty to encrypt findings All Accounts",
"Effect": "Allow",
"Principal": {
"Service": "guardduty.amazonaws.com"
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:SourceArn": [
"arn:aws:guardduty:::detector/",
"arn:aws:guardduty:::detector/",
...
]
}
}
} - After the permissions are set, execute the following command within each AWS account context (go to the AWS Console and execute it in the CloudShell):
aws guardduty create-publishing-destination --detector-id 0 --destination-type S3 --destination-properties DestinationArn=0,KmsKeyArn=0 --region 0
- This command should finalize with the DestinationID:
{
"DestinationID": "xxx"
} - If the command fails and finalizes with the following message, then the permissions that were added in the previous steps were not correctly set up:
The command does not have proper permissions for the given KMS or destination
Recommended: Test GuardDuty integration with Radiant Security
Since this is a lengthy integration that involves multiple AWS accounts, we highly recommend testing the integration from end-to-end. Refer to the Test GuardDuty’s Integration with Radiant Security guide to help you test GuardDuty integration.
We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai
Last updated: 2024-08-23