www.expel.io

AWS Direct getting started guide

Version 1.0

December 13, 2020

www.expel.io2

What’s in this guide?

Howdy! In this guide, you’ll find instructions on how to:

1. Create Global CloudTrail/S3;

2. Create SQS queue;

3. Create AWS IAM Policy;

4. Create AWS IAM Role;

5. Register AWS Direct in Expel Workbench™.

Prerequisites

1. An AWS account with permissions to create and modify IAM policies and roles.

Notes

1. If you use AWS organizations, you need to do Steps 3 and 4 on all accounts under the organization.

2. We have Terraform available to complete the creation of the IAM Role.

Step 1 — Configure a global CloudTrail

Create a global CloudTrail:

A. Log in to the AWS console. If you have multiple AWS accounts and use AWS Organizations, log into your master account

B. Navigate to the CloudTrail service and create a new trail (Figure 1). Note: Be sure to create the trail in the correct home region

www.expel.io3

Figure 1

C. Choose trail attributes (Figure 2)

a. Name Trail — we recommend GlobalCloudTrail

b. Select Create new S3 bucket and name bucket

c. When creating a new trail, ensure that “Enable for all accounts in my organization” is selected if you are using AWS Organizations

d. Optional — If you are using KMS enter KMS alias

e. Optional — If you are using SNS select SNS Topic

www.expel.io4

Figure 2

D. Leave the CloudWatch Logs and Tags sections blank and select Next (Figure 3)

www.expel.io5

Figure 3

E. Choose log events (Figure 4)

a. Events — Only select “Management events” leave the rest unchecked

b. Management events — Select “Read” and “Write” leave “Exclude AWS KMS events” unchecked

c. Select Next

Figure 4

www.expel.io6

F. Review and create (Figure 5)

a. Verify Trail attributes and select Create Trail

Figure 5

www.expel.io7

Step 2 — Create an SQS queue to receive S3 notifications

In order to consume CloudTrail events from the trail’s S3 bucket, Expel needs to be notified when new event files are added to the S3 bucket. In this step, we will create an SQS queue for these notifications.

Note: The SQS queue must be in the same account and regions as the S3 bucket created in Step 1

A. Navigate to Simple Queue Service and click Get Started Now (if this is the first SQS queue you have created), or click Create New Queue if you already have other SQS Queues defined (Figure 6)

Figure 6

B. Create queue

a. Details — Queue Name is filled in as ExpelMasterCloudTrailNotify, select Standard Queue (Figure 7)

b. Configuration —

1. Visibility timeout — 30 Seconds

2. Message retention period 7 days

3. Delivery delay — 0 Seconds

4. Maximum message size — 256 KB

5. Receive message wait time — 0 Seconds

www.expel.io8

Figure 7

C. Access policy —

a. Select Advanced, change the Resource and aws:SourceArn sections of the following JSON then copy and paste to the box

***Please note your SQS ARN will be populated when you switch to the Advanced Tab*** (Figure 8)

www.expel.io9

{ "Version": "2012-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__owner_statement", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "SQS:SendMessage", "Resource": "<YOUR_SQS_QUEUE_ARN_HERE>", "Condition": { "ArnLike": { "aws:SourceArn": "<YOUR_S3_BUCKET_ARN_HERE>" } } } ]}

Figure 8

b. Select Create Queue

www.expel.io10

Configure S3 notificationsD Navigate to the S3 bucket containing your CloudTrail logs (created in Steps A–F above under Create a

global CloudTrail)

E. Navigate to Properties (Figure 9)

Figure 9

F. Select Create event notifications (Figure 10)

Figure 10

www.expel.io11

G. General configuration

a. Event name — “ExpelNotifyQueue”

b. Select the “All object create events” checkbox under Event Types (Figure 11)

Figure 11

www.expel.io12

H. Destination

a. Select SQS Queue under Destination (Figure 12)

b. Select Choose from your SQS queues and select the queue you created from the drop down list. If you do not see your queue you can select Enter SQS queue ARN and enter the queue ARN in the field

I. Save changes

Figure 12

www.expel.io13

Step 3 — Create AWS IAM policy

In this step we’re going to create a permissions policy that will be assigned to the IAM Role.

If you use AWS organizations, the primary Expel role will reside in the organization’s master account where the CloudTrail, S3 and SQS queue were created for the integration.

The role and policy must be replicated across all of the other accounts in the organization in order to perform AWS investigative actions. The policy in the sub-accounts can be modified to exclude the SQS and S3 resources.

A. Create AWS IAM Policy

a. Navigate to the IAM service (Figure 13)

b. Go to Policies and click on Create Policy

Figure 13

www.expel.io14

c. Select the JSON tab and add the following permissions using the JSON tab

{"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": ["ec2:DescribeInstances","ec2:DescribeRegions","ec2:DescribeSecurityGroups","iam:List*","iam:Get*","rds:DescribeDBInstances","rds:ListTagsForResource","organizations:ListAccounts","ec2:DescribeVolumes","ecs:DescribeTaskDefinition","ecs:ListTaskDefinitions","lambda:GetFunction","lambda:ListFunctions","lightsail:GetInstances","lightsail:GetRegions","s3:ListAllMyBuckets","cloudtrail:GetTrailStatus","cloudtrail:DescribeTrails"],"Resource": "*"},{"Effect": "Allow","Action": ["sqs:DeleteMessage","sqs:DeleteMessageBatch","sqs:ReceiveMessage","sqs:GetQueueAttributes"],"Resource": "<YOUR_SQS_ARN>"},{"Effect": "Allow","Action": ["s3:GetObject"],"Resource": "<YOUR_S3_ARN>/*"}] }

Please note that there should be “/*” at the end of your S3 ARN in the “Resource” section. This allows the role to access all of the sub folders in your bucket.

www.expel.io15

Permissions List

Permission Usage

ec2:DescribeRegions Dynamically list all enabled regions for a customer account

ec2:DescribeInstances Cloud investigative actions and inventory

ec2:DescribeSecurityGroups Cloud investigative actions and inventory

iam:List* Cloud investigative actions and inventory

iam:Get* Cloud investigative actions and inventory

lambda:GetFunction Cloud investigative actions and inventory

rds:DescribeDBInstances Cloud investigative actions and inventory

rds:ListTagsForResource Cloud investigative actions and inventory

organizations:ListAccounts Enumerate accounts in an org

sqs:DeleteMessage Remove Processed messages from the queue

sqs:DeleteMessageBatch Remove Processed messages from the queue

sqs:ReceiveMessage Read messages

sqs:GetQueueAttributes Retrieve the state of the queue

s3:GetObject Download cloudtrail log files

ec2:DescribeVolumes Cloud investigative actions and inventory

ecs:DescribeTaskDefinition Inventory

ecs:ListTaskDefinitions Inventory

lambda:ListFunctions Cloud investigative actions and inventory

lightsail:GetInstances Cloud investigative actions and inventory

lightsail:GetRegions Cloud investigative actions and inventory

s3:ListAllMyBuckets Cloud investigative actions and inventory

www.expel.io16

d. Review and name the policy ExpelAPIPolicy (Figure 14)

Figure 14

Step 4 — Create IAM Role

A. From within the IAM service, navigate to Roles and click Create Role (Figure 15)

Figure 15

www.expel.io17

B. Select Another AWS account and fill out the required fields

C. Account ID: 012205512454 (Expel’s AWS account ID)

D. External ID: This unique identifier will be provided to you by Expel (Figure 16)

Figure 16

E. Attach the IAM policy from Step 1 to the Role (Figure 17)

Figure 17

F. Skip Add Tags

www.expel.io18

G. Review — Name the role and create the Role (Figure 18)

Figure 18

It’s important that all accounts roles have the same name for the integration to work.

H. Navigate to the role you just created and copy the following information:

■ Role ARN

■ External ID Value under the Trust relationships tab

Step 5 — Register AWS in Workbench

Based on how you generated the account credentials in Step 2, use one of the following procedures:

Onboarding AWS Direct

A. Login to https://workbench.expel.io

B. Navigate to Settings, then Security Devices

C. At the top right of the page, select Add New Device

D. Search for and select Amazon Web Services (direct)

www.expel.io19

E. Fill out the following fields:

a. Role arn: The Role ARN

b. External ID: The External ID

c. Role session name: Use a unique name to identify the use of the role

d. Region: the trail S3 and SQS region.

e. SQS URL: Queue URL

F. Select Save

After a few minutes (this may take as long as 15 minutes), refresh the Security Devices page and you should see your device reporting as Healthy. If there is an issue, the status will be Unhealthy and there will be a message with more detail on the source of the problem.

If you see an Unhealthy message and are unable to troubleshoot, contact your engagement manager or devicehealth@expel.io for support.

That’s it! Give yourself a pat on the back — you’re done!If you have any issues, concerns, questions or feedback,

please don’t hesitate to contact Expel at devicehealth@expel.io.