Configure Alert Logic Cloud Defender AWS cross-account role access

Alert Logic Cloud Defender supports Amazon Web Services (AWS) cross-account roles. The Cloud Defender Deployments page in the Alert Logic console allows you to create deployments for your AWS accounts. On this page, you can edit an AWS deployment name, add and edit AWS credentials to provide us with cross-account access to those accounts, and delete deployments.

Before you begin

Before Alert Logic can manage the protection of your AWS accounts, you must:

  • Log into your AWS account to create a cross-account role to allow Alert Logic to access your AWS accounts.
  • Log into Cloud Defender to configure credentials for each discovered AWS deployment.
  • Determine whether you want to configure cross-account for centralized CloudTrail log collection. For more information about centralized log collection, see Should you centralize CloudTrail log collection?
Use of centralized CloudTrail log collection affects how you configure cross-account access for your deployment. You should make this decision prior to configuration of your deployment.

About AWS cross-account roles

Cross-account roles to allow Alert Logic to access your AWS account. AWS role creation requires that you provide an AWS policy, a document that specifies the permissions assigned to the AWS role you create for Alert Logic to access to your AWS account.

When you create a role to provide Alert Logic cross-account access to your AWS accounts, you provide better protection for those accounts with:

  • Improved agent lifecycle management
  • Optimized appliance deployments
  • Auto detection of new assets and changed configurations

To set up or edit cross-account access, click an AWS deployment tile on the Deployments page, and then provide your AWS role ARN and the External ID.

When you set up your AWS cross-account role for Cloud Defender, you can choose from two levels of permissions:

Our full permission policy document does not allow us to:

  • Retrieve secret keys or credentials from IAM
  • Retrieve data from data stores other than S3
  • Perform these actions from any other AWS account
  • Grant access to the protected account to any other AWS account or user
  • Modify IAM credentials or policies.
If you create a deployment with one level of permissions, and then want to switch to another level of permissions, you can create another IAM role with the appropriate level of permissions (if you do not already have that role configured). Then, click edit on the deployment tile to change your deployment configuration to use the appropriate role.

Should you centralize CloudTrail log collection?

AWS allows you to use a separate, dedicated account with CloudTrail enabled to centralize your CloudTrail collection. Regardless of the level of permissions you choose to configure in the Alert Logic console, you can choose to centralize log collection, which requires a second IAM role to allow Alert Logic to access the AWS receiving account that collects CloudTrail data.

If you provide cross-account access to the AWS receiving account for centralized log collection, you get near real-time updates about your assets. Without this cross-account access, Cloud Defender refreshes information about your assets only every 12 hours.

Full permission deployment

Alert Logic recommends full permission deployment, which requires the use of the recommended policy available within the Alert Logic console. This set of permissions allows Cloud Defender to discover your AWS environment and automate the setup of the required AWS services.

To use full permission deployment, you must grant Alert Logic permissions to make changes to your environment (enable/modify AWS CloudTrail settings, create an Amazon SQS queue and an Amazon SNS topic, modify permissions).

Full permission deployment allows you to set up CloudTrail in either the AWS account you want protected by Cloud Defender, or in a separate account in which CloudTrail is configured for centralized log collection.

To configure full permission deployment, you must log into your AWS account and create a policy and IAM role, and then log into Cloud Defender and provide your role information. AWS role creation requires that you provide an AWS policy, a document that specifies the permissions assigned to the AWS role you create for Alert Logic to access to your AWS account.

The policy document grants only the permissions required to monitor your AWS account.

Use a CloudFormation template to create an IAM policy and role for full permission deployment

Alert Logic recommends you use our CloudFormation template for quick, convenient IAM policy and role creation.

To use the CloudFormation template to create a deployment:

  1. Log into the AWS Console.
  2. Log into the Alert Logic console.
  3. From the Deployments page, click the icon.
  4. Select Amazon Web Services.
  5. Type a name for your deployment, and then click SAVE AND CONTINUE.
  6. Under Cloud Defender, click SELECT, and then click CONTINUE.
  7. Click CLOUDFORMATION SETUP to use the Alert Logic CloudFormation template to create the AWS role needed for deployment creation.
  8. Follow the on-screen procedure to access the AWS CloudFormation Create Stack page and generate the role ARN you need to create your deployment.
  9. When prompted, paste the role ARN you copied from the AWS CloudFormation Create Stack page.
  10. Click CONTINUE.

Manually create an IAM policy and role for full permission deployment

Before you begin, download and open this recommended policy document (JSON file) for full permission deployment. Keep the document open so you can copy and paste the information during IAM role creation.

To create a cross-account access role:

  1. In the AWS Console, click IAM, located under Security, Identity & Compliance.
  2. From the IAM Management Console, click Policies, and then click Create Policy.
  3. Click the JSON tab.
  4. Copy and paste the contents of your policy document into the JSON window.
  5. Click Review policy.
  6. On the Review Policy page, type a Policy Name and Description for the policy.
  7. Click Create policy.
  8. From the IAM Management Console, click Roles, and then click Create role.
  9. On the Create role page, click Another AWS account.
  10. Enter the following information for Alert Logic:
    • Account ID—Type the AWS account that Alert Logic uses to collect logs:
      • If you are using the US data center: 733251395267
      • If you are using the EU data center: 857795874556
    • Select Require external ID.
    • External ID—Use your Alert Logic Customer ID. To find your Customer ID, in the Alert Logic console, click Settings () > Support Information.
    • Require MFA—make sure the option is not selected.
  11. Click Next: Permissions.
  12. Select the policy you created above, and then click Next: Review.
  13. Type a Role Name and Role description, and then click Create Role.
  14. In the list of IAM roles, click the name of the role you created, and then note the Role ARN value, which you will need when you create the AWS credentials in the Cloud Defender console.

Configure full permission deployment in Cloud Defender

To complete configuration of a full permission deployment, you must log into Cloud Defender, and then enter the AWS role information created above.

To configure this deployment in Cloud Defender:

  1. Navigate to the Deployments page.
  2. Click the tile for the AWS deployment you want to configure.
  3. Enter the Role ARN and External ID you created above.
  4. Click Create.

To configure full permission deployment with centralized log collection, you must log into your AWS account and create a policy and IAM role for the account you want to protect and for the account you want to use for centralized log collection. Then you must log into Cloud Defender and provide the role information for both accounts.

  • Protected account—The account protected by Cloud Defender.
  • Receiving account—The account that owns the S3 bucket where CloudTrail is configured to store its log files.

The policy document for the protected account grants only the permissions required to monitor your environments. The policy document for the receiving account grants only read-only access.

To create a cross-account access role:

  1. In the AWS Console, click IAM, located under Security, Identity & Compliance.
  2. From the IAM Management Console, click Policies, and then click Create Policy.
  3. Click the JSON tab.
  4. Copy and paste the contents of your policy document into the JSON window.
  5. Click Review policy.
  6. On the Review Policy page, type a Policy Name and Description for the policy.
  7. Click Create policy.
  8. From the IAM Management Console, click Roles, and then click Create role.
  9. On the Create role page, click Another AWS account.
  10. Enter the following information for Alert Logic:
    • Account ID—Type the AWS account that Alert Logic uses to collect logs:
      • If you are using the US data center: 733251395267
      • If you are using the EU data center: 857795874556
    • Select Require external ID.
    • External ID—Use your Alert Logic Customer ID. To find your Customer ID, in the Alert Logic console, click Settings () > Support Information.
    • Require MFA—make sure the option is not selected.
  11. Click Next: Permissions.
  12. Select the policy you created above, and then click Next: Review.
  13. Type a Role Name and Role description, and then click Create Role.
  14. In the list of IAM roles, click the name of the role you created, and then note the Role ARN value, which you will need when you create the AWS credentials in the Cloud Defender console.
You must perform this procedure for the protected account, and then for the receiving account. Be sure you use the correct policy document for each role you create.

Configure full permission deployment with centralized log collection in Cloud Defender

To complete configuration of a full permission deployment with centralized log collection, you must log into Cloud Defender, and then enter the AWS role information created above.

To configure this deployment in Cloud Defender:

  1. Navigate to the Deployments page.
  2. Click the tile for the AWS deployment you want to configure.
  3. Enter the Role ARN and External ID for the protected account.
  4. Select I want this environment to use cross-account CloudTrail to centralize CloudTrail log collection.
  5. Enter the Role ARN and External ID for the receiving account.
  6. Click Create.

Minimal permission deployment

Minimal permission deployment employs the most limited privileges that still allow Cloud Defender to work properly in AWS. Minimal permission deployment requires that you perform additional manual steps, such as the setup of AWS CloudTrail and Amazon S3 log file collection.

Minimal permission deployment allows you to set up CloudTrail in either the AWS account you want protected by Cloud Defender, or in a separate account with an S3 bucket to which CloudTrail is configured for centralized log collection.

To perform minimal permission cross-account role configuration, you must log into your AWS account and create an IAM role. AWS role creation requires that you provide an AWS policy, a document that specifies the permissions assigned to the AWS role you create for Alert Logic to access to your AWS account. The policy document grants only the permissions required to monitor your environments.

To deploy minimal permissions for your Cloud Defender AWS implementation:

  1. Set up AWS CloudTrail. Choose to:
  2. Create an IAM policy and role for minimal permission deployment.
  3. Configure Amazon S3 bucket policies for log collection

Set up AWS CloudTrail

For minimal permission deployment to work properly, you must set up your AWS CloudTrail manually. The process to set up AWS CloudTrail depends on whether you need to create a SNS topic, or edit an existing SNS topic for CloudTrail.

If AWS CloudTrail is not yet enabled for your account, you must create a new trail, with an S3 bucket and SNS topic, and configure it for use with Cloud Defender.

To set up CloudTrail with a new SNS topic:

  1. Log into the AWS protected account.
  2. Click CloudTrail >Trails.
  3. Click Create trail.
  4. In Trail name, type a name for your trail.
  5. For Apply trail to all regions, click Yes.
  6. For Create a new S3 bucket, select Yes .
  7. In S3 bucket, type the name of the S3 bucket in which to store your CloudTrail logs in your account.
  8. Click Advanced.
  9. For Send SNS notification for every log file delivery, select Yes.
  10. For Create a new SNS topic, select Yes.
  11. Click Save.
  12. Click Create.

If you already enabled AWS CloudTrail for your account, Cloud Defender uses the existing trail with the "multi-region" flag enabled. If you set up more than one trail with this flag enabled, Cloud Defender selects the trail that appears first in alphabetical order. The existing trail you use must be configured with SNS delivery enabled, as described in the steps below.

To configure an existing SNS Topic:

  1. From the AWS CloudTrail console, click Trails and then select your existing trail.
  2. Ensure that Apply trail to all regions is set to Yes; if not, click the pencil icon (), and then change the value to Yes.
  3. In the S3 section, ensure that Publish to SNS is set to Yes, and that a valid SNS topic is set. If your current configuration is not set up to publish to SNS, then click the pencil icon () to change the settings and create a new SNS topic to receive notifications. Note the ARN of the SNS topic; you will need it when defining the IAM policy.

Create an IAM policy and role for minimal permission deployment

  • Download and open this policy document for the minimal permission deployment (JSON file). Keep the document open so you can copy and paste the information during IAM role creation.

    • To create a cross-account access role:

    1. In the AWS Console, click IAM, located under Security, Identity & Compliance.
    2. From the IAM Management Console, click Policies, and then click Create Policy.
    3. Click the JSON tab.
    4. Copy and paste the contents of your policy document into the JSON window.
    5. Click Review policy.
    6. On the Review Policy page, type a Policy Name and Description for the policy.
    7. Click Create policy.
    8. From the IAM Management Console, click Roles, and then click Create role.
    9. On the Create role page, click Another AWS account.
    10. Enter the following information for Alert Logic:
      • Account ID—Type the AWS account that Alert Logic uses to collect logs:
        • If you are using the US data center: 733251395267
        • If you are using the EU data center: 857795874556
      • Select Require external ID.
      • External ID—Use your Alert Logic Customer ID. To find your Customer ID, in the Alert Logic console, click Settings () > Support Information.
      • Require MFA—make sure the option is not selected.
    11. Click Next: Permissions.
    12. Select the policy you created above, and then click Next: Review.
    13. Type a Role Name and Role description, and then click Create Role.
    14. In the list of IAM roles, click the name of the role you created, and then note the Role ARN value, which you will need when you create the AWS credentials in the Cloud Defender console.

    Configure Amazon S3 bucket policies for log collection

    For Cloud Defender to collect CloudTrail and other logs from your S3 buckets, you must allow permission for the IAM role you created above to access the ListObjects and GetObject APIs for the bucket and prefix where you store the logs.

    The process to configure the S3 bucket policy depends on your current configuration. Use one of the following procedures:

    You must create an S3 bucket policy if your CloudTrail does not have that policy set up.

    To create an Amazon S3 bucket policy:

    1. From the IAM Console click Roles, select the role you created above, and then note the IAM Role ARN value to ensure that the correct policy is applied to your bucket.
    2. From the Amazon S3 console, find the bucket that stores the logs to be collected.

      If the logs are stored under one or more prefixes (which appear as folders in the console), note the prefix but stop at the top-level bucket, because bucket policies can only be edited from this level.

    3. Click Properties, and then expand the Permissions section and click Add Bucket Policy.
    4. Define the policy as follows:
      1. Download and open this policy document and paste the contents into the bucket policy window.
      2. Where indicated, replace BUCKET_NAME/PREFIX with the name of your bucket.
      3. Where indicated, replace YOUR_IAM_ROLE_ARN with the IAM role you created above.
    5. Click Save.

    If the Amazon S3 bucket where you store logs has an existing bucket policy, you must make the following changes to your policy to allow the IAM role created for Cloud Defender to collect logs.

    To update an existing Amazon S3 bucket policy:

    1. From the Amazon S3 console, find the bucket that stores collected logs.

      If the logs are stored under one or more prefixes (which appear as folders in the console), note the prefix but stop at the top-level bucket, because bucket policies can only be edited from this level.

    2. Click Properties, expand the Permissions section, and then click Edit Bucket Policy.
    3. Make the following changes to your policy:
      1. Download the bucket policy block (.txt) and copy the contents.
      2. After the last permissions statement in the bucket policy window, paste the bucket policy block contents.
    4. Where indicated, replace BUCKET_NAME/PREFIX with the name of your bucket.
    5. Where indicated, replace YOUR_IAM_ROLE_ARN with the account number of the protected account.
    6. Click Save.

    Configure minimal permission deployment in Cloud Defender

    To complete configuration of a minimal permission deployment, you must log into Cloud Defender, and then enter the AWS role information created above.

    To configure this deployment in Cloud Defender:

    1. Navigate to the Deployments page.
    2. Click the tile for the AWS deployment you want to configure.
    3. Enter the Role ARN and External ID you created above.
    4. Click Create.

    Minimal permission deployment with centralized log collection requires you to log into the AWS console to set up and configure both S3 and SNS in the receiving account (the AWS account in which you want to centralize log collection), and then log into the protected account (the AWS account you want to protect) to set up CloudTrail and an IAM role.

    To deploy minimal permission deployment with centralized log collection:

    1. In the receiving account:
      1. Configure Amazon S3 bucket policies for log collection. Choose to:
      2. Configure SNS topic for the receiving account. Choose to:
      3. Create a minimal permissions IAM policy and role for the receiving account
    2. In the protected account:
      1. Set up CloudTrail in the protected account
      2. Create a minimal permission IAM policy and role for the protected account
    3. In Cloud Defender:

      Configure minimal permission deployment with centralized log collection in Cloud Defender

    Configure Amazon S3 bucket policies for log collection

    For Cloud Defender to collect CloudTrail and other logs from your S3 buckets, you must allow permission for the IAM role you create to access the ListObjects and GetObject APIs for the bucket and prefix where you store the logs.

    The process to configure the S3 bucket policy depends on your current configuration. Use one of the following procedures:

    If S3 is not enabled for the receiving account, you must enable it, and then configure it for use with Cloud Defender.

    To create an Amazon S3 bucket policy:

    1. Log into the receiving account.
    2. From the AWS console, click S3, and then click Create bucket.
    3. Complete the appropriate fields in the Create bucket window.
    4. Click Next , to accept the default settings for properties and permissions.
    5. Click Create.
    6. From the AWS S3 console, select the bucket you just created.
    7. Click the Permissions tab, and then click Bucket Policy.
    8. Create the bucket policy as follows:
      1. Download the bucket policy (.txt) and paste the contents into the bucket policy window.
      2. Where indicated, replace ReceivingAccountBucketName with the name of your bucket.
      3. Where indicated, replace ProtectedAccountID with the account number of the protected account.
    9. Click Save.

    If you enabled S3 for the receiving account, you must configure S3 for use with Cloud Defender.

    1. Log into the receiving account.
    2. From the IAM Console, click S3, and find the bucket that stores collected logs.
    3. Click Properties, expand the Permissions section, and then click Edit Bucket Policy.
    4. Perform the following actions:
      1. Download the bucket policy block (.txt) and copy the contents.
      2. After the last permissions statement in the bucket policy window, paste the bucket policy block contents.
      3. Where indicated, replace ReceivingAccountBucketName with the name of your bucket.
      4. Where indicated, replace ProtectedAccountID with the account number of the protected account.
    5. Click Save.

    Configure SNS topic for the receiving account

    For minimal permission deployment to work properly, you must set up your AWS CloudTrail manually in the receiving account. The process to set up AWS CloudTrail depends on whether you need to create a SNS topic, or edit an existing SNS topic for CloudTrail.

    You must create an Simple Notification Service (SNS) topic in the receiving account and configure it for use with Cloud Defender.

    To create an SNS topic:

    1. Log into the receiving account.
    2. From the AWS console, click Simple Notification Service.
    3. From the SNS dashboard, click Create topic, and then provide a topic name.
    The Display name is optional in this case.
    1. Click Create topic.
    2. On the Topics page, make note of the ARN for the new SNS topic.
    3. Select Other topic actions > Edit topic policy.
    4. Click Advanced view.
    5. Make the following changes to your topic policy:
      1. After the last permissions statement, add a comma (,).
      2. Download the SNS topic policy text block (.txt) and paste it into the policy after the comma.
      3. Replace SNS_TOPIC_ARN with the Topic ARN.
    6. Click Update policy.

    If you have an existing Simple Notification Service (SNS) topic enabled in the receiving account, you must edit the existing topic policy.

    To edit an existing SNS topic:

    1. Log into the receiving account.
    2. From the AWS console, click Simple Notification Service.
    3. From the SNS dashboard, click Topics, and select the topic you want to edit.
    4. Select Other topic actions > Edit topic policy.
    5. Click Advanced view.
    6. Make the following changes to your topic policy:
      1. After the last permissions statement, add a comma (,).
      2. Download the SNS topic policy text block (.txt) and paste it into the policy after the comma.
      3. Replace SNS_TOPIC_ARN with the Topic ARN.
    7. Click Update policy.

    Create a minimal permissions IAM policy and role for the receiving account

    To perform cross-account role configuration with centralized log collection, you must log into your AWS account and create an IAM role for the account you want to use for centralized log collection.

    AWS role creation requires that you provide an AWS policy, a document that specifies the permissions assigned to the AWS role you create for Alert Logic to access to your AWS account. The policy document for the receiving account grants only read-only access.

    Download and open this policy document for the receiving account. Keep the document open so you can copy and paste the information during IAM role creation for centralized log collection.

    To create a cross-account access role:

    1. In the AWS Console, click IAM, located under Security, Identity & Compliance.
    2. From the IAM Management Console, click Policies, and then click Create Policy.
    3. Click the JSON tab.
    4. Copy and paste the contents of your policy document into the JSON window.
    5. Click Review policy.
    6. On the Review Policy page, type a Policy Name and Description for the policy.
    7. Click Create policy.
    8. From the IAM Management Console, click Roles, and then click Create role.
    9. On the Create role page, click Another AWS account.
    10. Enter the following information for Alert Logic:
      • Account ID—Type the AWS account that Alert Logic uses to collect logs:
        • If you are using the US data center: 733251395267
        • If you are using the EU data center: 857795874556
      • Select Require external ID.
      • External ID—Use your Alert Logic Customer ID. To find your Customer ID, in the Alert Logic console, click Settings () > Support Information.
      • Require MFA—make sure the option is not selected.
    11. Click Next: Permissions.
    12. Select the policy you created above, and then click Next: Review.
    13. Type a Role Name and Role description, and then click Create Role.
    14. In the list of IAM roles, click the name of the role you created, and then note the Role ARN value, which you will need when you create the AWS credentials in the Cloud Defender console.

    Set up CloudTrail in the protected account

    1. Log into the AWS protected account.
    2. Click CloudTrail >Trails.
    3. Click Create trail.
    4. In Trail name, type a name for your trail.
    5. For Apply trail to all regions, click Yes.
    6. For Create a new S3 bucket, select No .
    7. In S3 bucket, type the name of the S3 bucket you created in the receiving account to store your CloudTrail logs.
    8. Click Advanced.
    9. For Send SNS notification for every log file delivery, select Yes.
    10. For Create a new SNS topic, select No, and then enter the topic ARN for the SNS topic you created in the receiving account.
    11. Click Save.
    12. Click Create.

    Create a minimal permission IAM policy and role for the protected account

    To perform cross-account role configuration with centralized log collection, you must log into your AWS account and create an IAM role for the account you want to protect. The policy document for the protected account grants only the permissions required to monitor your environments.

    Download and open this policy document for the protected account. Keep the document open so you can copy and paste the information during IAM role creation for the protected account.

    To create a cross-account access role:

    1. In the AWS Console, click IAM, located under Security, Identity & Compliance.
    2. From the IAM Management Console, click Policies, and then click Create Policy.
    3. Click the JSON tab.
    4. Copy and paste the contents of your policy document into the JSON window.
    5. Click Review policy.
    6. On the Review Policy page, type a Policy Name and Description for the policy.
    7. Click Create policy.
    8. From the IAM Management Console, click Roles, and then click Create role.
    9. On the Create role page, click Another AWS account.
    10. Enter the following information for Alert Logic:
      • Account ID—Type the AWS account that Alert Logic uses to collect logs:
        • If you are using the US data center: 733251395267
        • If you are using the EU data center: 857795874556
      • Select Require external ID.
      • External ID—Use your Alert Logic Customer ID. To find your Customer ID, in the Alert Logic console, click Settings () > Support Information.
      • Require MFA—make sure the option is not selected.
    11. Click Next: Permissions.
    12. Select the policy you created above, and then click Next: Review.
    13. Type a Role Name and Role description, and then click Create Role.
    14. In the list of IAM roles, click the name of the role you created, and then note the Role ARN value, which you will need when you create the AWS credentials in the Cloud Defender console.

    Configure minimal permission deployment with centralized log collection in Cloud Defender

    To complete configuration of a minimal permission deployment with centralized log collection, you must log into Cloud Defender, and then enter the AWS role information created above.

    To configure this deployment in Cloud Defender:

    1. Navigate to the Deployments page.
    2. Click the tile for the AWS deployment you want to configure.
    3. Enter the Role ARN and External ID for the protected account.
    4. Select I want this environment to use cross-account CloudTrail to centralize CloudTrail log collection.
    5. Enter the Role ARN and External ID for the receiving account.
    6. Click Create.