Configure Alert Logic Cloud Defender AWS cross-account role access

Alert Logic Cloud Defender supports Amazon Web Services (AWS) cross-account roles. The Cloud Defender Deployments page in the Alert Logic console allows you to create deployments for your AWS accounts. On this page, you can edit an AWS deployment name, add and edit AWS credentials to provide us with cross-account access to those accounts, and delete deployments.

Before you begin

Before Alert Logic can manage the protection of your AWS accounts, you must:

  • Log into your AWS account to create a cross-account role to allow Alert Logic to access your AWS accounts.
  • Log into Cloud Defender to configure credentials for each discovered AWS deployment.
  • Determine whether you want to configure cross-account for centralized CloudTrail log collection. For more information about centralized log collection, see Should you centralize CloudTrail log collection?
Use of centralized CloudTrail log collection affects how you configure cross-account access for your deployment. You should make this decision prior to configuration of your deployment.

About AWS cross-account roles

Cross-account roles to allow Alert Logic to access your AWS account. AWS role creation requires that you provide an AWS policy, a document that specifies the permissions assigned to the AWS role you create for Alert Logic to access to your AWS account.

When you create a role to provide Alert Logic cross-account access to your AWS accounts, you provide better protection for those accounts with:

  • Improved agent lifecycle management
  • Optimized appliance deployments
  • Auto detection of new assets and changed configurations

To set up or edit cross-account access, click an AWS deployment tile on the Deployments page, and then provide your AWS role ARN and the External ID.

When you set up your AWS cross-account role for Cloud Defender, you can choose from two levels of permissions:

Our full permission policy document does not allow us to:

  • Retrieve secret keys or credentials from IAM
  • Retrieve data from data stores other than S3
  • Perform these actions from any other AWS account
  • Grant access to the protected account to any other AWS account or user
  • Modify IAM credentials or policies.
If you create a deployment with one level of permissions, and then want to switch to another level of permissions, you can create another IAM role with the appropriate level of permissions (if you do not already have that role configured). Then, click edit on the deployment tile to change your deployment configuration to use the appropriate role.

Should you centralize CloudTrail log collection?

AWS allows you to use a separate, dedicated account with CloudTrail enabled to centralize your CloudTrail collection. Regardless of the level of permissions you choose to configure in the Alert Logic console, you can choose to centralize log collection, which requires a second IAM role to allow Alert Logic to access the AWS receiving account that collects CloudTrail data.

If you provide cross-account access to the AWS receiving account for centralized log collection, you get near real-time updates about your assets. Without this cross-account access, Cloud Defender refreshes information about your assets only every 12 hours.

Full permission deployment

Alert Logic recommends full permission deployment, which requires the use of the recommended policy available within the Alert Logic console. This set of permissions allows Cloud Defender to discover your AWS environment and automate the setup of the required AWS services.

To use full permission deployment, you must grant Alert Logic permissions to make changes to your environment (enable/modify AWS CloudTrail settings, create an Amazon SQS queue and an Amazon SNS topic, modify permissions).

Full permission deployment allows you to set up CloudTrail in either the AWS account you want protected by Cloud Defender, or in a separate account in which CloudTrail is configured for centralized log collection.

Minimal permission deployment

Minimal permission deployment employs the most limited privileges that still allow Cloud Defender to work properly in AWS. Minimal permission deployment requires that you perform additional manual steps, such as the setup of AWS CloudTrail and Amazon S3 log file collection.

Minimal permission deployment allows you to set up CloudTrail in either the AWS account you want protected by Cloud Defender, or in a separate account with an S3 bucket to which CloudTrail is configured for centralized log collection.