AWS Threat Detection Integration Onboarding

This document helps you to onboard Threat Detection on your AWS environment.

Step 1: Setting up necessary infrastructure in AWS account

To enable threat detection, you will need:

  • An AWS CloudTrail Trail.
  • An AWS S3 bucket that receives logs from the trail.
  • A SNS Topic configured to receive S3 Event Notifications from the S3 Bucket.


Click on this link for a guide on how to set up your prerequisite AWS infrastructure.

Step 2: Add AWS S3 Log Connector

Next, you will need to add an AWS S3 Log Connector integration in Storyfier.

  1. Log into your Horangi Storyfier platform.
  2. Click on the gear icon at the top left. On the left panel, click on Integrations. Look for the AWS S3 Bucket Logs Connector row and click ADD.
    Topbar
    Integrations Page
  3. Next, fill up the details of your S3 Bucket.
    1. Name - Name of your integration
    2. Account ID - 12 Digit AWS Account ID where S3 bucket that receives cloudtrail logs is located
    3. Bucket Name - S3 Bucket where CloudTrail Logs and other log types are delivered
    4. S3 Prefix Filter <optional> - This is the path of the files in the S3 Bucket that will be processed by Warden. If this is empty, Warden will process all new files in the S3 Bucket.
    5. KMS Key <optional> - If data is encrypted using KMS-SSE, provide KMS Key ARN
    6. SNS Topic ARN - SNS Topic used to retrieve S3 Event Notifications from.
  4. After filling up the necessary information, click Next.
  5. You will be given instructions to create an IAM Role to allow Horangi Access into your S3 Bucket.
  6. Click on the LAUNCH CLOUDFORMATION STACK button. You can review our CloudFormation template here.
    CloudFormation Page
  7. After reviewing all the parameters, check the “I acknowledge that AWS CloudFormation might create IAM resources” box.
  8. Go to the Output tab and get the LogProcessingRoleArn field and paste it in Step 2 of the AWS S3 Log Connector.
    CloudFormation Outputs
  9. Once connection is successful, you will be able to view your integration in the Integrations page.
    AWS S3 Bucket ConnectedName of Log Connector

Offboarding

When you offboard threat detection from your AWS environment, Warden will stop receiving events from the particular S3 bucket.

To offboard threat detection from your AWS environment, you will need to remove the S3 Log Connector from your Horangi account.

  1. Log into your Horangi Storyfier platform.
  2. Click on the gear icon at the top left. On the left panel, click on Integrations. Look for the AWS S3 Bucket Logs Connector row and click ADD.
    Topbar
    AWS Log Connector
  3. Select the View button for the S3 Bucket Log Connector that you want to offboard.
    Name of Log Connector
  4. Now, click on the DELETE CONNECTION button on the bottom left.
    Details of Log Connector
  5. After clicking DELETE CONNECTION, select DELETE CONNECTOR in the next pop-up window.Delete Connector