To activate the Elastica AWS Securlet, perform all the procedures in the following subsections.
Introduction
This tech note describes how to set up the CloudSOC™ AWS Securlet™. The Securlet for a SaaS
application lets CloudSOC obtain user activity data and user information. CloudSOC uses this
information to auto-import users from the SaaS application. The AWS Securlet supports all
services and regions supported by CloudTrail.
Prerequisites
To enable the AWS Securlet on your CloudSOC account:
● You must have administrative privileges on your CloudSOC account.
● You must activate CloudTrail on your AWS account.
We only monitor regions where CloudTrail is enabled. See How to activate CloudTrail on
your AWS account for more information.
● You must know your AWS Account number.
● The S3 buckets used must not have any periods in their names.
See: https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html
Activating the AWS Securlet
To activate the AWS Securlet, perform the procedures in the following subsections.
1. Create a custom policy
First, you create a custom policy that you can apply to a CloudSOC-specific role that you create
in a subsequent procedure.
Note: To define a role, you must be an administrator on your enterprise AWS account. You can
use a Root account or an IAM user with admin privileges.
1. If you have not already done so, login to your AWS account at this url:
https://console.aws.amazon.com.
2. Navigate to Services and select IAM. Choose Policies, then click Create Policy.
3. Next to Create Your Own Policy, click JSON tab.
a. Depending on your location, and on whether you want to automatically discover
buckets for the optional S3 content inspection, download one of the following files
and open it in a text editor: Copy the text in the file and paste it into the JSON
editor field.
Automatic S3 bucket discovery
● For the US-based production cloud:
https://app.elastica.net/static/store/aws_access_policy_automatic.json
● For the EU-based production cloud:
https://app.eu.elastica.net/static/store/aws_access_policy_automatic.json
Manual S3 bucket discovery
● For the US-based production cloud:
https://app.elastica.net/static/store/aws_access_policy_manual.json
● For the EU-based production cloud:
https://app.eu.elastica.net/static/store/aws_access_policy_manual.json
4. Click Review policy, this also validates the policy
Tip: If AWS reports any validation errors, confirm that the pasted policy document text
has both beginning and ending braces (“{“ and “}”) to ensure the policy text was pasted in
its entirety.
5. Enter a policy name (and description) for the policy in accordance with your company’s
naming convention.
6. Click Create Policy.
7. Proceed to 2. Define the CloudSOC-specific role on your AWS account.
2. Define the CloudSOC-specific role on your AWS account
After creating a policy for the CloudSOC-specific role, you create the role itself:
1. Browse to https://console.aws.amazon.com and login to your AWS account.
2. Navigate to Services and select IAM.
3. In the navigation bar, choose Roles.
4. Click Create role.
5. Select Another AWS account.
a. Provide one of the following AWS Account ID numbers for the Account ID field.
■ For the US-based production cloud:
279556430935
■ For the EU-based production cloud:
845418340189
b. Check Require external ID
■ Note: El <your-account-id>, where:
● EI is an uppercase letter “E” followed by a lowercase letter “L”
● <your-account-id> is your AWS account ID number
For example, if your AWS account ID is 01234567890, you would enter “El01234567890”
(without the quote marks) for the External ID.
Important: Make sure you enter the CloudSOC account ID and External ID correctly. If you
copy and paste the Account ID or External ID, make sure that there are no extraneous
leading or trailing spaces. A mistake in either field causes the error “Failed to Assume
Role” in red text in your CloudSOC browser when you enable the CloudSOC AWS
Securlet as described in Enable the AWS Securlet.
6. Click Next: Permissions.
7. On the Attach Policy page, search for the custom policy you created in the section Create
A Custom Policy. Mark the checkbox next to the policy.
8. For the role name, enter the following name exactly as shown:
elastica-cloudtrail-role
9. Enter any convenient role description.
10. Review the role configuration and click Create Role.
11. On the Roles page, make sure the new role appears in the list of roles.
12. Proceed to 3. Activate CloudTrail on your AWS account.
3. Activate CloudTrail on your AWS account
In order to use the AWS Securlet, you enable the CloudTrail service on your AWS account in all
regions that you want to monitor. You also create an S3 bucket where CloudTrail places the
activity logs. We recommend that you enable CloudTrail for all regions as described in the
following procedure.
1. In the AWS admin console, search on "CloudTrail" and click CloudTrail.
2. In the navigation bar, click Trails, then click Create Trail.
3. In the Create Trail area, give the trail a name and set "Apply trail to all regions" to Yes.
Note: You can choose No if you do not want to enable CloudTrail in all regions. In that
case, enable CloudTrail in the regions of interest, and make sure that the name of the S3
bucket described below is the same for all regions.
4. In the Storage location area, mark the radio button for Create a new S3 bucket, then click
Advanced to show the advanced options.
5. Use these settings for the new S3 bucket for CloudTrail logs. Other settings are optional:
Field Setting
S3 bucket Enter a name for the new S3 CloudTrail bucket. Record the bucket
name so that you can enter it exactly the same when you activate
the AWS Securlet in 5. Enable the AWS Securlet.
Important: Do not enable content inspection for this bucket by
CloudSOC. Doing so causes an error condition.
Log file prefix Leave blank, or include a prefix in accordance with your company’s
naming convention for log files. We recommend that you use the
same prefix for all regions.
Enable log file
validation
Mark the No button.
Send SNS
notification for
every log file
delivery
Mark the No button.
6. Click Create.
7. Go to the SNS Dashboard in the region where the S3 bucket for CloudTrail activities is
located.
8. Click Create to create a new SNS Topic in the region.
Note: If you don't know the region of your S3 bucket, you can find it on the S3 Dashboard.
The Region is shown in the third column.
9. In SNS Dashboard > Topics, click Create Topic.
10. Provide a topic name of your choice.
11. With Advanced selected under Access Policy.
a. Add the following snippet as a new statement in the statements array of your
existing Topic Policy. Replace <YOUR-TOPIC-ARN> with the ARN of your SNS
topic.
b. Note: confirm that the pasted policy document text has both beginning and
ending braces (“{“ and “}”) to ensure the policy text was pasted in its entirety.
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Publish",
"Resource": " <YOUR-TOPIC-ARN> ",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:*"
}
}
}
12. Click Create Topic
13. Navigate to the S3 Dashboard and select the S3 bucket for CloudTrail activities. Then
click the Properties tab.
14. Click Events, then click Add Notifications.
15. Provide any name for the notification.
16. In the Events area, mark the checkbox for All object create events.
17. From the Send to menu, choose SNS Topic.
18. From the SNS menu, choose the SNS topic you created earlier in this procedure.
19. At the bottom of the Events box, click Save.
20. If you have multiple accounts in AWS with a single bucket for cross-account CloudTrail,
only perform this procedure for the account where the S3 bucket for CloudTrail activities
is. You can skip creating a new CloudTrail if it is already active.
See the following AWS article for more information about setting up multi-account
CloudTrail:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-frommultiple-
accounts.html
4. (Optional) Manually enable S3 content inspection
Perform the procedure described in this section only if both the following two conditions are true:
● You want CloudSOC to perform content inspection on your S3 buckets
● You want to manually enter the S3 buckets for content inspection instead of having the
CloudSOC Securlet automatically discover them
Otherwise, skip ahead to 5. (Optional) Enable S3 Server Access Logging in AWS.
In this procedure, you create one SNS topic in each region where you have S3 buckets for which
you want to submit files for content inspection. Later, when you enable the Securlet, you
configure it with the ARNs for the topics.
1. In SNS Dashboard > Topics, click Create Topic.
2. Provide a topic name of your choice.
3. With Advanced selected under Access Policy.
a. Add the following snippet as a new statement in the statements array of your
existing Topic Policy. Replace <YOUR-TOPIC-ARN> with the ARN of your SNS
topic.
b. Note: confirm that the pasted policy document text has both beginning and
ending braces (“{“ and “}”) to ensure the policy text was pasted in its entirety.
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Publish",
"Resource": " <YOUR-TOPIC-ARN> ",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:*"
}
}
}
Click Create Topic
4. Navigate to the S3 Dashboard and select the S3 bucket for which you want content
inspection. Then click the Properties tab.
5. Click Events, then click Add Notifications.
6. Provide any name for the notification.
7. In the Events area, mark the checkboxes for All object create events and All object
delete events.
8. From the SNS menu, choose the SNS topic you created earlier in this procedure.
9. At the bottom of the Events box, click Save.
10. If you have multiple Buckets in the same region repeat the earlier steps in this procedure
for S3 Bucket Events and use the same SNS topic as the destination for the events. Each
region must have exactly one SNS topic for all the buckets for S3 content inspection in
that region.
5. (Optional) Enable S3 Server Access Logging in AWS
The AWS Securlet offers Amazon S3 Server Access Logging (SAL) support. You can use server
logs to give you an idea of the nature of traffic against your bucket. Note that this feature is not
meant to be a complete real-time accounting of all requests. Activity reports are subject to a
delay of 45 to 60 minutes.
Perform the steps in this section to have some or all of your Amazon S3 buckets monitored for
access requests. Note the following as you perform this procedure:
● The source buckets are the buckets for which you want CloudSOC to monitor all access
requests.
● The target bucket is the bucket where you want AWS to save the access logs for the
source buckets. This is the bucket from which the CloudSOC Securlet retrieves the logs.
The source and target bucket(s) must be in the same region.
To enable logging on a bucket:
1. If you have not already done so, browse to https://console.aws.amazon.com/s3/ and login
to the AWS Management Console.
2. In Services, search on "s3" and choose s3.
3. Click Create bucket to create the target bucket where AWS saves the access logs.
4. In the Create Bucket box, use the Name and Region page to give the bucket a name and
identify its region. The bucket must be in the same region as your source bucket. Note
the correct target bucket name here, because you need it later in the section Enable the
AWS Securlet.
You can also use an existing target bucket in the same region as your source bucket
resides.
5. Click Next.
6. On the list of your buckets, click the new target bucket. Then navigate to Management >
Lifecycle.
7. In the Lifecycle area, click Add lifecycle rule.
8. On the Lifecycle Rule box, give the new rule a name.
Leave the "add filter" box blank to apply the rule to the whole bucket.
9. Click Next twice to go to the Expiration page.
10. In the Configure Expiration page, mark the checkbox for Previous versions.
11. Mark the checkbox for Permanently delete previous versions to and set the duration to
100 days.
12. Click Next, review the lifecycle rule, then click Save.
13. Navigate to a source bucket then the Properties tab, click Server access logging, then
click Enable Logging.
14. From the Target Bucket menu, choose the target bucket that you created earlier, as
shown below.
15. (Optional) To specify a key prefix for log objects, in the Target Prefix box, type a prefix of
your choice.
16. Click Save.
If you want more than one bucket to be monitored residing in different regions, you must repeat
the procedure described in this section.
You have configured S3 Server Access logging on your AWS account. Proceed to the section 6.
Enable the AWS Securlet.
6. Enable the AWS Securlet
This section describes how to enable the AWS Securlet on your CloudSOC.
1. Login to CloudSOC using your administrator credentials.
2. In the CloudSOC left-side navigation bar, click Store.
3. Scroll Down to Securlets and click See all in the upper right corner.
4. Navigate to the Amazon Web Services Securlet app and click Activate.
CloudSOC redirects you to the page where you provide additional information about your
AWS account.
5. Enter your AWS Account ID and a convenient account name.
6. In the CloudTrail Support box, enter the AWS SNS ARN for your AWS account.
You can copy the ARN of the SNS topic created in the CloudTrail configuration step from
the AWS console.
7. If you want CloudSOC to do content inspection on your S3 buckets, perform the following
additional steps. Otherwise skip ahead to Step 13.
8. Enable the slider for S3 Content Inspection Support.
9. Unless you want to manually identify the S3 buckets for content inspection, mark
Automatic. To use the manual option, you must provide the name and
region for each bucket you want scanned.
CloudSOC prompts whether you are sure you want to use automatic discovery for your
S3 buckets. The prompt also offers you a link to the access policy for
automatic discovery.
Note: If you want to use automatic discovery, but implemented the policy for manual
discovery in the section 1. Create a custom policy, click the button to download the
automatic policy, then return to that section to change the custom policy so that it uses
the automatic one instead of the manual one.
10. Click Yes to confirm you want to use automatic bucket discovery. CloudSOC discovers
your S3 buckets and lists them for you. The window may take several
minutes to appear. Refresh your browser if the list does not appear after a few minutes.
11. Mark the checkboxes next to the buckets you want CloudSOC to do content inspection
on. Mark Scan Existing Data for each bucket only if you want AWS Securlet to scan all the
existing data in the bucket. Note that the time required for the scan of existing data
depends on the size of the bucket.
Important: If you enable Server Access Logging (SAL), do not enable content inspection
for the buckets for SAL, or for your CloudTrail logs, as described in the section 3. Activate
CloudTrail on your AWS account. Doing so causes an error condition.
12. Click Scan.
13. If you are enabling server access logging in AWS S3 buckets as described in 5. (Optional)
Enable S3 Server Access Logging in AWS, perform the following additional steps.
Otherwise, click Save to complete the procedure.
14. Enable the slider for S3 SAL Support.
15. For each region in which you have S3 support, choose the region name and enter the
name of the SAL target bucket in the region. Click + to add additional regions.
Note: The AWS Securlet supports S3 logging only in regions where you have configured
AWS Cloudtrail.
16. When you have added all applicable regions, click Save.
7. Enable AWS S3 bucket event notifications
Follow the instructions in this section if you are enabling SAL support as described in 5. (Optional)
Enable S3 Server Access Logging in AWS. Otherwise, skip this section.
To enable bucket event notifications:
1. If you have not already done so, login to the AWS Management Console and open the
Amazon S3 console at https://console.aws.amazon.com/s3/.
2. In the Buckets list, select the target bucket that you configured with CloudSOC and
navigate to Properties > Events.
3. In the Events box, Click Add notification.
4. In the Name box, type a descriptive name for your event configuration, for example,
‘CloudSOCS3config’.
If you do not enter a name AWS generates a GUID that it uses for the name.
5. In the Events area, choose the ObjectCreate (All) event type to ensure that AWS sends
notifications to the destination when any event occurs.
6. In the Send To area, choose SQS Queue as the destination.
7. In the SQS queue box, choose Add SQS ARN from the menu.
8. In the SQS queue ARN box, enter the ARN in the following format (US shown, EU similar):
arn:aws:sqs: < region > : 279556430935 :elastica-cloudtrail-queue- < tenantname >-<
account_id >
Where:
● <Region> is the AWS region code. As of the publication of this Tech Note, the
applicable regions were:
Region name Region code
US East (Ohio) us-east-2
US East (N. Virginia) us-east-1
US West (N. California) us-west-1
US West (Oregon) us-west-2
Canada (Central) ca-central-1
Asia Pacific (Mumbai) ap-south-1
Asia Pacific (Osaka-Local) ap-northeast-3
Asia Pacific (Seoul) ap-northeast-2
Asia Pacific (Singapore) ap-southeast-1
Asia Pacific (Sydney) ap-southeast-2
Asia Pacific (Tokyo) ap-northeast-1
China (Ningxia) cn-northwest-1
EU (Frankfurt) eu-central-1
EU (Ireland) eu-west-1
EU (London) eu-west-2
EU (Paris) eu-west-3
South America (São Paulo) sa-east-1
For a full list of CloudTrail regions and their codes, see the AWS documentation.
● <tenantname> is your CloudSOC tenant identifier
● < account_id > is your AWS Account ID
For example, if your tenant identifier is xyzcom, your region is Ireland, and your
account_id is 12345678, the SQS queue ARN would be:
Arn:aws:sqs:eu-west-1: 279556430935 :elastica-cloudtrail-queue-xyzcom-123
45678
:
9. Click Save. Amazon S3 sends a test message to the event notification destination.
10. Repeat the instructions in this section for all regions in which you have target buckets.
Activating the Securlet on additional AWS accounts
To activate the AWS Securlet for additional AWS accounts:
1. Perform the procedures described in the subsections of Activating the AWS Securlet for
the new AWS account.
2. Instead of the procedure 6. Enable the AWS Securlet, do the steps below:
a. In the CloudSOC store, locate the tile for the AWS securlet and click Configure as
shown below.
b. On the page for AWS, choose Account Information > Register New Account as
shown below.
c. Enter the information for the new AWS account and click Save.
Additional Note:
If using Amazon Key Management Service then you’ll need to leverage it when accessing resources.
There are two more actions needed and the resource ARN string needs to operate in conjunction with KMS.
Example:
"Action": [
"kms:decrypt",
"kms:CreateGrant"
],
"Resource": "arn:aws:kms:us-east-1:<ten digit account ID>:key/<key ID>",
"Effect": "Allow"
Here are the changes done to allow scanning the buckets and its contents when the role resides in another account in the organization. Cross-account access.
Changes to s3 bucket base policy
{
"Sid": "ElasticaRoleAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS_Account_Number>:role/elastica-cloudtrail-role"
},
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject*",
"s3:PutBucketNotification"
],
"Resource": [
<bucket_arn>, <bucket_arn/*>
]
},