Onboarding Step 1: Setting up pre-requisites

AWS S3 Bucket Log Connector Prerequisite Infrastructure

Before you can set up Warden Threat Detection in your AWS environment, there has to be a logging infrastructure in place. This document covers the required infrastructure you need before setting up Warden Threat Detection for AWS. 

Pre-Requisites

  • An AWS CloudTrail Trail.
  • An AWS S3 bucket that receives logs from the trail.
  • A SNS Topic configured to receive S3 Event Notifications from the S3 Bucket.


If you have an organization-wide CloudTrail, Warden Threat Detection will process events from your AWS Organization. Otherwise, only events from the CloudTrail’s AWS Account will be processed.

Reference Deployment ArchitectureScreenshot 2021-03-24 at 6.55.09 PM

Setting Up the Log Ingestion Stack

Based on your current AWS Cloud Infrastructure, you may fall into one of the following scenarios:

  1. No CloudTrail, no S3 Bucket and no SNS Topic
  2. Existing CloudTrail with logs delivered to an S3 Bucket, no SNS Topic
  3. Existing CloudTrail with logs delivered to an S3 Bucket; and a SNS Topic

Scenario 1: No CloudTrail, no S3 Bucket and no SNS Topic

1. Log into the AWS Account where you would like to set up threat detection.

2. Click on this Warden Log Processing Infrastructure CloudFormation Template which automatically sets up the Stack parameters for you. You can review our CloudFormation template here.

3. Click Create Stack.

Infrastructure CloudFormation

4. CloudFormation will automatically create the resources needed in your account. You should then see all the resources created in the Events tab.

Infrastructure CloudFormation Output

5. Take note of the fields in the Outputs tab. They will be used as inputs when you add a new AWS S3 Bucket Logs Connector in Storyfier.

Infrastructure CloudFormation Output Resources

Scenario 2: Existing CloudTrail with logs delivered to an S3 Bucket, no SNS Topic

1. Log into the AWS Account where you would like to set up threat detection.

2. Click on this Warden Log Processing Notifications CloudFormation Template which automatically sets up the Stack parameters for you. You can review our CloudFormation template here.

3. Click Create Stack.

Notification CloudFormation

4. CloudFormation will automatically create the resources needed to ensure threat detection in your account. You should then see all the resources created in the Events tab.

Notification CloudFormation Output

5. Take note of the field in the Outputs tab. It will be used as an input when you add a new AWS S3 Bucket Logs Connector in Storyfier.

Threat Detection Integration Onboarding Pre-Requisite Documentation

6. Navigate to the S3 console at https://console.aws.amazon.com/s3.

7. Select the S3 bucket that will receive all CloudTrail Logs and go to the Properties tab.

S3 Properties8. Click Event Notifications and select Create event notification.

Create Event Notification

9. Enter your desired Event name, and under Event Types, select All object create events.

Event Types

11. Under Destinations, select SNS topic, and choose the SNS topic name created in Step 5.

SNS Topic

Scenario 3: Existing CloudTrail with logs delivered to an S3 Bucket; and an SNS Topic

1. Log into the AWS Account where you would like to set up threat detection.

2. Navigate to the AWS Simple Notification Console and select the Topic you created for threat detection.

3. On the top right corner, select Edit.

Access Policy

4. Scroll to the Access Policy box, expand it and add on the code below.

{
"Sid": "AllowCrossAccountSubscriptionForWardenThreatDetection",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::396286753434:root"
},
"Action": "sns:Subscribe",
"Resource": "arn:aws:sns:<your_region>:<your_aws_account_id>:<your_sns_topic_name>"
}

5. Scroll down and click Save changes.

6. Navigate to the S3 console at https://console.aws.amazon.com/s3

7. Select the S3 bucket that will receive all CloudTrail Logs and go to the Properties tab.

S3 Properties

8. Navigate to Event Notifications and select Create event notification.

Create Event Notification

9. Enter your desired Event name, and under Event Types, select All object create events.

Event Types

10. Under Destinations, select SNS topic, and choose the name of the SNS topic that we configured in Step 4.

Continue to Onboard Threat Detection on Your AWS Environment