Skip to main content
Red Canary help

Integrate Amazon Web Services (AWS) with Red Canary

  • Updated .

This article leads you through the process of integrating Amazon Web Services (AWS) with Red Canary. Follow the procedure from beginning to end. 

Prerequisites

  • You must have AWS permissions to:
    • Create Simple Notification Service (SNS) topics
    • Adjust resource policies on SNS topics
    • Set notifications on S3 bucket
    • Adjust resource policies on S3 buckets
    • Adjust resource policies on KMS keys
  • Existing infrastructure:
    • AWS CloudTrail storing logs in an S3 bucket
  • Your AWS account ID. For more information, see Finding your AWS account ID
  • ACLs are disabled on the S3 bucket containing the CloudTrail logs (recommended by Amazon)

Summary of steps:

Step 1: AWS–Grant Red Canary permission to read your S3 Bucket

Step 2: AWS–Update your SNS topic policy

Step 3: AWS–Push notifications to your SNS topic from an S3 bucket

Step 4: AWS–Grant Red Canary permission to decrypt your CloudTrail data

Step 5: Red Canary–Integrate AWS with Red Canary

Step 1: AWS–Grant Red Canary permission to read your S3 Bucket

Once the SNS topic and SQS queues are functional, Red Canary needs to be able to copy the data from your S3 bucket into our ingestion bucket.

Note: ACLs on the S3 bucket will prevent Red Canary from retrieving logs from the bucket. ACLs must be disabled on the logging bucket. 

  1. From the AWS homepage, type and select S3 in the search bar.
  2. Click the AWS bucket you want to use to send data to Red Canary.
  3. Copy and then save the S3 Amazon Resource Name (ARN) address. You will use this in a later step.
  4. Click the Permissions tab.
  5. Scroll down to the Object Ownership section, and then click Edit.
  6. Click ACLs disabled (recommended).
  7. Click Save Changes.
  8. Scroll down to the Block public access section, and then ensure that you have Block All public access switched On.
  9. Scroll down to the Bucket Policy section, and then click Edit.
  10.  From the JSON editor section, enter the following statement:
{
    "Sid": "RCReadCloudTrail",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::823104324086:role/rc-partner-access-control"
        ]
    },
    "Action": "s3:GetObject",
    "Resource": [
        "<ENTER YOUR S3 BUCKET ARN HERE>",
        "<ENTER YOUR S3 BUCKET ARN HERE>/*"
    ]
},


10. Click Save Changes

 

Step 2: AWS–Update your SNS topic policy

Add permissions to your SNS’s policy to enable Red Canary to subscribe to the topic.

  1. From the AWS homepage, type and then select Simple Notification Service in the search bar.
  2. From the Topics section, click the number.
  3. Select the SNS topic you want to update.
  4. Copy and save the SNS Amazon Resource Name (ARN) address. You will use this in a later step.
  5. Click Edit.
  6. Click the Access Policy dropdown.
  7. From the JSON editor section, enter the following lines of code:
    1. NOTE: in the last section of the Policy (i.e "AWS:SourceARN"), do NOT replace this with "AWS:SourceOwner."  This will break our access to your SNS Topic.  This is due to a bug in AWS. 
{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "RCPartnerAccessControl",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::823104324086:root"
      },
      "Action": "SNS:Subscribe",
      "Resource": "arn:aws:sns:us-east-2:123456789012:example-sns-topic-name"
    },
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:SetTopicAttributes",
        "SNS:DeleteTopic",
        "SNS:ListSubscriptionsByTopic",
        "SNS:GetTopicAttributes",
        "SNS:AddPermission",
        "SNS:Subscribe"
      ],
      "Resource": "arn:aws:sns:us-east-1:594438611852:example-sns-topic-name",
      "Condition": {
        "StringEquals": {
          "AWS:SourceArn": "ENTER YOUR S3 BUCKET ARN HERE"
        }
      }
    }
  ]
}
  1. From the JSON editor section, scroll down to the second Resource line, and then enter the SNS Topic ARN from Step 2.4.
  2. From the JSON editor section, scroll down to the first AWS:SourceArn line, and then enter the S3 Bucket ARN from Step 1.3.
  3. Click Save changes.

Step 3: AWS–Push notifications to your SNS topic from an S3 bucket

When data is put into an S3 bucket, messages can be pushed onto your SNS topic. SNS can then push notifications to any subscriber including the Red Canary SQS queue.

  1. From the AWS CloudTrail homepage, type and then select S3 in the search bar.
  2. Click the AWS bucket you want to use to send data to Red Canary.
  3. Click the Properties tab.
  4. Scroll down to the Event notifications section, and then click Create event notification.
  5. Enter an Event name for your event notification.
  6. From the Event types section, select All object create events.
  7. From the Destination section, select SNS topic.
  8. From the SNS topic dropdown, select the SNS topic you updated in Step 2.
  9. Click Save Changes.

Step 4: AWS–Grant Red Canary permission to decrypt your CloudTrail data

Note: KMS encryption is not required. If you do not have KMS encryption configured please skip to step 5.

Enable Red Canary to decrypt your AWS CloudTrail data in order to start sending alerts to Red Canary.

  1. From the AWS CloudTrail homepage, type and then select CloudTrail in the search bar.
  2. Click the Trail that you want Red Canary to have access to.
  3. Click the AWS KMS key.
  4. Copy and then save the AWS KMS ARN address. You will use this in a later step.
  5. Scroll down to the Key Policy section.
  6. From the editor section, under the Statement line, enter the following 9 lines of code:
{
    "Sid": "LetRedCanaryDecryptLogs",
    "Effect": "Allow", 
    "Principal": {
        "AWS": ["arn:aws:iam::823104324086:role/rc-partner-access-control"]
    },
    "Action": [
        “kms:Decrypt”,
        “kms:DescribeKey”
    ],
    "Resource":  “*” 
},



Note: “Resource”: “*” refers to this KMS key only. For more information, see  Key Policy Elements for more information.

  1. Click Save Changes.

Step 5: Red Canary–Integrate AWS with Red Canary

Enter your AWS account information into Red Canary in order to start receiving AWS alerts.

  1. From your Red Canary homepage, click Integrations.
  2. From the Integrations section, locate and then click Amazon Web Services.
    Note: If you do not see Amazon Web Services listed, click See all integrations.
     
  3. In the search bar, type and then select Amazon Web Services.
  4. Continue onto the next step by configuring your AWS source in Red Canary.
    Note: Your third-party security source may require that you contact Red Canary to configure.
  5. Enter a name for your new AWS integration. 
  6. Choose the scope of your integration by selecting either Organization or Account.  

Organization

  1. If you select Organization, enter your Organization ID
    • To locate your Organization ID, navigate to AWS and search for organizations.
    • Click organizations.
  2. Paste the organization ID into Red Canary.
  3. Enter any Excluded Accounts, this step is optional. 
  4. Click Next.
  5. Copy and then paste the ARN of the S3 bucket containing the CloudTrail logs, as well as the ARN of SNS topic.
  6. Click Next.
  7. Grant Red Canary access to the following policies:
    • Read access to the bucket policy which was completed in Step 1.
    • Update your SNS topic policy which was completed in Step 2.
    • Read Access to the CloudTrail KMS key policy which was completed in Step 4.
  8. Click Next.
  9. To use one of the provided templates to provision an IAM role in your environment for Red Canary access, click either CloudFormation or Terraform to access the appropriate template.
  10. Enter the ARN for the IAM Role.

  11.  Apply the Terraform module or Cloud Formation template to all accounts in the AWS organization. The IAM Role name must be the same across all accounts. The default and recommended role name is:

    rc-partner-access-control

    The role ARN entered in Step 10 is the only required input for successful scanning of all accounts which have been assigned the proper role and permissions.
    A Cloud Formation Stack Set can propagate configuration to all accounts in the AWS Organization (for more information read AWS Cloud Formation.)

  12. From the Advanced Configuration section, Ingest GuardDuty Finding is selected by default. If you do not want Red Canary to ingest this type of data, deselect Ingest GuardDuty Finding.
    Note: In order for Red Canary to have access to context, analysis, and improved insight into potential risks in your security environment, we recommend that you leave Ingest GuardDuty Finding enabled.
  13. Click Save

Account

  1. If you selected Account, enter your Account ID.
  2. Click Next.
  3. Copy and paste the ARN of the S3 bucket containing the CloudTrail logs, as well as the ARN of SNS topic.
  4. Click Next.
  5. Grant Red Canary access to the following policies:
    • Read access to the bucket policy which was completed in Step 1.
    • Update your SNS topic policy which was completed in Step 2.
    • Read Access to the CloudTrail KMS key policy which was completed in Step 4.
  6. Click Next.
  7. To use one of the provided templates to provision an IAM role in your environment for Red Canary access, click either CloudFormation or Terraform to access the appropriate template.
  8. Enter the ARN for the IAM Role.
  9. Click Save

 

Comments

0 comments

Please sign in to leave a comment.