Activate the AWS Securlet

book

Article ID: 170974

calendar_today

Updated On:

Products

CASB Security Standard CASB Security Premium CASB Security Advanced CASB Audit CASB Gateway CASB Gateway Advanced Data Loss Prevention Cloud Package

Issue/Introduction

To activate the Elastica AWS Securlet, perform all the procedures in the following subsections.

Resolution

 

Introduction

This tech note describes how to set up the CloudSOC™ AWS Securlet™. The Securlet for a SaaS

application lets CloudSOC obtain user activity data and user information. CloudSOC uses this

information to auto-import users from the SaaS application. The AWS Securlet supports all

services and regions supported by CloudTrail.

Prerequisites

To enable the AWS Securlet on your CloudSOC account:

● You must have administrative privileges on your CloudSOC account.

● You must activate CloudTrail on your AWS account.

We only monitor regions where CloudTrail is enabled. See How to activate CloudTrail on

your AWS account for more information.

● You must know your AWS Account number.

● The S3 buckets used must not have any periods in their names.

See: https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html

 

Activating the AWS Securlet

To activate the AWS Securlet, perform the procedures in the following subsections.

1. Create a custom policy

First, you create a custom policy that you can apply to a CloudSOC-specific role that you create

in a subsequent procedure.

Note: To define a role, you must be an administrator on your enterprise AWS account. You can

use a Root account or an IAM user with admin privileges.

                1. If you have not already done so, login to your AWS account at this url:

                https://console.aws.amazon.com.

                2. Navigate to Services and select IAM. Choose Policies, then click Create Policy.

                3. Next to Create Your Own Policy, click JSON tab.

                                a. Depending on your location, and on whether you want to automatically discover

                                buckets for the optional S3 content inspection, download one of the following files

                                and open it in a text editor: Copy the text in the file and paste it into the JSON

                                editor field.

 

                                                                Automatic S3 bucket discovery

                                                                ● For the US-based production cloud:

                                                                https://app.elastica.net/static/store/aws_access_policy_automatic.json

                                                                ● For the EU-based production cloud:

                                                                https://app.eu.elastica.net/static/store/aws_access_policy_automatic.json

                                                                Manual S3 bucket discovery

                                                                ● For the US-based production cloud:

                                                                https://app.elastica.net/static/store/aws_access_policy_manual.json

                                                                ● For the EU-based production cloud:

                                                                https://app.eu.elastica.net/static/store/aws_access_policy_manual.json

 

                4. Click Review policy, this also validates the policy

                Tip: If AWS reports any validation errors, confirm that the pasted policy document text

                has both beginning and ending braces (“{“ and “}”) to ensure the policy text was pasted in

                its entirety.

                5. Enter a policy name (and description) for the policy in accordance with your company’s

                naming convention.

                6. Click Create Policy.

                7. Proceed to 2. Define the CloudSOC-specific role on your AWS account.

2. Define the CloudSOC-specific role on your AWS account

After creating a policy for the CloudSOC-specific role, you create the role itself:

                1. Browse to https://console.aws.amazon.com and login to your AWS account.

                2. Navigate to Services and select IAM.

                3. In the navigation bar, choose Roles.

                4. Click Create role.

                5. Select Another AWS account.

                a. Provide one of the following AWS Account ID numbers for the Account ID field.

                For the US-based production cloud:

                279556430935

                For the EU-based production cloud:

                845418340189

                b. Check Require external ID

                Note: El <your-account-id>, where:

                ● EI is an uppercase letter “E” followed by a lowercase letter “L”

                ● <your-account-id> is your AWS account ID number

                For example, if your AWS account ID is 01234567890, you would enter “El01234567890”

                (without the quote marks) for the External ID.

                Important: Make sure you enter the CloudSOC account ID and External ID correctly. If you

                copy and paste the Account ID or External ID, make sure that there are no extraneous

                leading or trailing spaces. A mistake in either field causes the error “Failed to Assume

                Role” in red text in your CloudSOC browser when you enable the CloudSOC AWS

                Securlet as described in Enable the AWS Securlet.

                6. Click Next: Permissions.

                7. On the Attach Policy page, search for the custom policy you created in the section Create

                A Custom Policy. Mark the checkbox next to the policy.

                8. For the role name, enter the following name exactly as shown:

                elastica-cloudtrail-role

                9. Enter any convenient role description.

                10. Review the role configuration and click Create Role.

                11. On the Roles page, make sure the new role appears in the list of roles.

                12. Proceed to 3. Activate CloudTrail on your AWS account.

3. Activate CloudTrail on your AWS account

In order to use the AWS Securlet, you enable the CloudTrail service on your AWS account in all

regions that you want to monitor. You also create an S3 bucket where CloudTrail places the

activity logs. We recommend that you enable CloudTrail for all regions as described in the

following procedure.

                1. In the AWS admin console, search on "CloudTrail" and click CloudTrail.

                2. In the navigation bar, click Trails, then click Create Trail.

                3. In the Create Trail area, give the trail a name and set "Apply trail to all regions" to Yes.

                Note: You can choose No if you do not want to enable CloudTrail in all regions. In that

                case, enable CloudTrail in the regions of interest, and make sure that the name of the S3

                bucket described below is the same for all regions.

                4. In the Storage location area, mark the radio button for Create a new S3 bucket, then click

                Advanced to show the advanced options.

                5. Use these settings for the new S3 bucket for CloudTrail logs. Other settings are optional:

                Field Setting

                S3 bucket Enter a name for the new S3 CloudTrail bucket. Record the bucket

                name so that you can enter it exactly the same when you activate

                the AWS Securlet in 5. Enable the AWS Securlet.

                Important: Do not enable content inspection for this bucket by

                CloudSOC. Doing so causes an error condition.

                Log file prefix Leave blank, or include a prefix in accordance with your company’s

                naming convention for log files. We recommend that you use the

                same prefix for all regions.

                Enable log file

                validation

                Mark the No button.

                Send SNS

                notification for

                every log file

                delivery

                Mark the No button.

                6. Click Create.

                7. Go to the SNS Dashboard in the region where the S3 bucket for CloudTrail activities is

                located.

                8. Click Create to create a new SNS Topic in the region.

                Note: If you don't know the region of your S3 bucket, you can find it on the S3 Dashboard.

                The Region is shown in the third column.

                9. In SNS Dashboard > Topics, click Create Topic.

                10. Provide a topic name of your choice.

                11. With Advanced selected under Access Policy.

                                a. Add the following snippet as a new statement in the statements array of your

                                existing Topic Policy. Replace <YOUR-TOPIC-ARN> with the ARN of your SNS

                                topic.

                                b. Note: confirm that the pasted policy document text has both beginning and

                                ending braces (“{“ and “}”) to ensure the policy text was pasted in its entirety.

                                {

                                                "Sid": "example-statement-ID",

                                                "Effect": "Allow",

                                                "Principal": {

                                                                "AWS": "*"

                                                },

                                                "Action": "SNS:Publish",

                                                "Resource": " <YOUR-TOPIC-ARN> ",

                                                "Condition": {

                                                                "ArnLike": {

                                                                                "aws:SourceArn": "arn:aws:s3:*:*:*"

                                                                }

                                                }

                                }

                12. Click Create Topic

                13. Navigate to the S3 Dashboard and select the S3 bucket for CloudTrail activities. Then

                click the Properties tab.

                14. Click Events, then click Add Notifications.

                15. Provide any name for the notification.

                16. In the Events area, mark the checkbox for All object create events.

                17. From the Send to menu, choose SNS Topic.

                18. From the SNS menu, choose the SNS topic you created earlier in this procedure.

                19. At the bottom of the Events box, click Save.

                20. If you have multiple accounts in AWS with a single bucket for cross-account CloudTrail,

                only perform this procedure for the account where the S3 bucket for CloudTrail activities

                is. You can skip creating a new CloudTrail if it is already active.

                See the following AWS article for more information about setting up multi-account

                CloudTrail:

                https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-frommultiple-

                accounts.html

 

4. (Optional) Manually enable S3 content inspection

Perform the procedure described in this section only if both the following two conditions are true:

● You want CloudSOC to perform content inspection on your S3 buckets

● You want to manually enter the S3 buckets for content inspection instead of having the

CloudSOC Securlet automatically discover them

Otherwise, skip ahead to 5. (Optional) Enable S3 Server Access Logging in AWS.

In this procedure, you create one SNS topic in each region where you have S3 buckets for which

you want to submit files for content inspection. Later, when you enable the Securlet, you

configure it with the ARNs for the topics.

                1. In SNS Dashboard > Topics, click Create Topic.

                2. Provide a topic name of your choice.

                3. With Advanced selected under Access Policy.

                                a. Add the following snippet as a new statement in the statements array of your

                                existing Topic Policy. Replace <YOUR-TOPIC-ARN> with the ARN of your SNS

                                topic.

                                b. Note: confirm that the pasted policy document text has both beginning and

                                ending braces (“{“ and “}”) to ensure the policy text was pasted in its entirety.

                                {

                                                "Sid": "example-statement-ID",

                                                "Effect": "Allow",

                                                "Principal": {

                                                                "AWS": "*"

                                                },

                                                "Action": "SNS:Publish",

                                                "Resource": " <YOUR-TOPIC-ARN> ",

                                                "Condition": {

                                                                "ArnLike": {

                                                                                "aws:SourceArn": "arn:aws:s3:*:*:*"

                                                                }

                                                }

                                }

                                Click Create Topic

                4. Navigate to the S3 Dashboard and select the S3 bucket for which you want content

                inspection. Then click the Properties tab.

                5. Click Events, then click Add Notifications.

                6. Provide any name for the notification.

                7. In the Events area, mark the checkboxes for All object create events and All object

                delete events.

                8. From the SNS menu, choose the SNS topic you created earlier in this procedure.

                9. At the bottom of the Events box, click Save.

                10. If you have multiple Buckets in the same region repeat the earlier steps in this procedure

                for S3 Bucket Events and use the same SNS topic as the destination for the events. Each

                region must have exactly one SNS topic for all the buckets for S3 content inspection in

                that region.

5. (Optional) Enable S3 Server Access Logging in AWS

The AWS Securlet offers Amazon S3 Server Access Logging (SAL) support. You can use server

logs to give you an idea of the nature of traffic against your bucket. Note that this feature is not

meant to be a complete real-time accounting of all requests. Activity reports are subject to a

delay of 45 to 60 minutes.

Perform the steps in this section to have some or all of your Amazon S3 buckets monitored for

access requests. Note the following as you perform this procedure:

● The source buckets are the buckets for which you want CloudSOC to monitor all access

requests.

● The target bucket is the bucket where you want AWS to save the access logs for the

source buckets. This is the bucket from which the CloudSOC Securlet retrieves the logs.

The source and target bucket(s) must be in the same region.

To enable logging on a bucket:

                1. If you have not already done so, browse to https://console.aws.amazon.com/s3/ and login

                to the AWS Management Console.

                2. In Services, search on "s3" and choose s3.

                3. Click Create bucket to create the target bucket where AWS saves the access logs.

                4. In the Create Bucket box, use the Name and Region page to give the bucket a name and

                identify its region. The bucket must be in the same region as your source bucket. Note

                the correct target bucket name here, because you need it later in the section Enable the

                AWS Securlet.

                You can also use an existing target bucket in the same region as your source bucket

                resides.

                5. Click Next.

                6. On the list of your buckets, click the new target bucket. Then navigate to Management >

                Lifecycle.

                7. In the Lifecycle area, click Add lifecycle rule.

                8. On the Lifecycle Rule box, give the new rule a name.

                Leave the "add filter" box blank to apply the rule to the whole bucket.

                9. Click Next twice to go to the Expiration page.

                10. In the Configure Expiration page, mark the checkbox for Previous versions.

                11. Mark the checkbox for Permanently delete previous versions to and set the duration to

                                100 days.

                12. Click Next, review the lifecycle rule, then click Save.

                13. Navigate to a source bucket then the Properties tab, click Server access logging, then

                click Enable Logging.

                14. From the Target Bucket menu, choose the target bucket that you created earlier, as

                shown below.

                15. (Optional) To specify a key prefix for log objects, in the Target Prefix box, type a prefix of

                your choice.

                16. Click Save.

                If you want more than one bucket to be monitored residing in different regions, you must repeat

                the procedure described in this section.

                You have configured S3 Server Access logging on your AWS account. Proceed to the section 6.

Enable the AWS Securlet.

6. Enable the AWS Securlet

This section describes how to enable the AWS Securlet on your CloudSOC.

                1. Login to CloudSOC using your administrator credentials.

                2. In the CloudSOC left-side navigation bar, click Store.

                3. Scroll Down to Securlets and click See all in the upper right corner.

                4. Navigate to the Amazon Web Services Securlet app and click Activate.

                CloudSOC redirects you to the page where you provide additional information about your

                AWS account.

                5. Enter your AWS Account ID and a convenient account name.

                6. In the CloudTrail Support box, enter the AWS SNS ARN for your AWS account.

                You can copy the ARN of the SNS topic created in the CloudTrail configuration step from

                the AWS console.

                7. If you want CloudSOC to do content inspection on your S3 buckets, perform the following

                additional steps. Otherwise skip ahead to Step 13.

                8. Enable the slider for S3 Content Inspection Support.

                9. Unless you want to manually identify the S3 buckets for content inspection, mark

                Automatic. To use the manual option, you must provide the name and

                region for each bucket you want scanned.

                CloudSOC prompts whether you are sure you want to use automatic discovery for your

                S3 buckets. The prompt also offers you a link to the access policy for

                automatic discovery.

                Note: If you want to use automatic discovery, but implemented the policy for manual

                discovery in the section 1. Create a custom policy, click the button to download the

                automatic policy, then return to that section to change the custom policy so that it uses

                the automatic one instead of the manual one.

                10. Click Yes to confirm you want to use automatic bucket discovery. CloudSOC discovers

                your S3 buckets and lists them for you. The window may take several

                minutes to appear. Refresh your browser if the list does not appear after a few minutes.

                11. Mark the checkboxes next to the buckets you want CloudSOC to do content inspection

                on. Mark Scan Existing Data for each bucket only if you want AWS Securlet to scan all the

                existing data in the bucket. Note that the time required for the scan of existing data

                depends on the size of the bucket.

                Important: If you enable Server Access Logging (SAL), do not enable content inspection

                for the buckets for SAL, or for your CloudTrail logs, as described in the section 3. Activate

                CloudTrail on your AWS account. Doing so causes an error condition.

                12. Click Scan.

                13. If you are enabling server access logging in AWS S3 buckets as described in 5. (Optional)

                Enable S3 Server Access Logging in AWS, perform the following additional steps.

                Otherwise, click Save to complete the procedure.

                14. Enable the slider for S3 SAL Support.

                15. For each region in which you have S3 support, choose the region name and enter the

                name of the SAL target bucket in the region. Click + to add additional regions.

                Note: The AWS Securlet supports S3 logging only in regions where you have configured

                AWS Cloudtrail.

                16. When you have added all applicable regions, click Save.

7. Enable AWS S3 bucket event notifications

Follow the instructions in this section if you are enabling SAL support as described in 5. (Optional)

Enable S3 Server Access Logging in AWS. Otherwise, skip this section.

To enable bucket event notifications:

                1. If you have not already done so, login to the AWS Management Console and open the

                Amazon S3 console at https://console.aws.amazon.com/s3/.

                2. In the Buckets list, select the target bucket that you configured with CloudSOC and

                navigate to Properties > Events.

                3. In the Events box, Click Add notification.

                4. In the Name box, type a descriptive name for your event configuration, for example,

                ‘CloudSOCS3config’.

                If you do not enter a name AWS generates a GUID that it uses for the name.

                5. In the Events area, choose the ObjectCreate (All) event type to ensure that AWS sends

                notifications to the destination when any event occurs.

                6. In the Send To area, choose SQS Queue as the destination.

                7. In the SQS queue box, choose Add SQS ARN from the menu.

                8. In the SQS queue ARN box, enter the ARN in the following format (US shown, EU similar):

                arn:aws:sqs: < region > : 279556430935 :elastica-cloudtrail-queue- < tenantname >-<

                account_id >

                Where:

                ● <Region> is the AWS region code. As of the publication of this Tech Note, the

                applicable regions were:

                Region name Region code

                US East (Ohio) us-east-2

                US East (N. Virginia) us-east-1

                US West (N. California) us-west-1

                US West (Oregon) us-west-2

                Canada (Central) ca-central-1

                Asia Pacific (Mumbai) ap-south-1

                Asia Pacific (Osaka-Local) ap-northeast-3

                Asia Pacific (Seoul) ap-northeast-2

                Asia Pacific (Singapore) ap-southeast-1

                Asia Pacific (Sydney) ap-southeast-2

                Asia Pacific (Tokyo) ap-northeast-1

                China (Ningxia) cn-northwest-1

                EU (Frankfurt) eu-central-1

                EU (Ireland) eu-west-1

                EU (London) eu-west-2

                EU (Paris) eu-west-3

                South America (São Paulo) sa-east-1

                For a full list of CloudTrail regions and their codes, see the AWS documentation.

                ● <tenantname> is your CloudSOC tenant identifier

                ● < account_id > is your AWS Account ID

                For example, if your tenant identifier is xyzcom, your region is Ireland, and your

                account_id is 12345678, the SQS queue ARN would be:

                Arn:aws:sqs:eu-west-1: 279556430935 :elastica-cloudtrail-queue-xyzcom-123

                45678

                :

                9. Click Save. Amazon S3 sends a test message to the event notification destination.

                10. Repeat the instructions in this section for all regions in which you have target buckets.

                Activating the Securlet on additional AWS accounts

                To activate the AWS Securlet for additional AWS accounts:

                1. Perform the procedures described in the subsections of Activating the AWS Securlet for

                the new AWS account.

                2. Instead of the procedure 6. Enable the AWS Securlet, do the steps below:

                a. In the CloudSOC store, locate the tile for the AWS securlet and click Configure as

                shown below.

                b. On the page for AWS, choose Account Information > Register New Account as

                shown below.

                c. Enter the information for the new AWS account and click Save.

 

Additional Note:

 

If using Amazon Key Management Service then you’ll need to leverage it when accessing resources.

 

There are two more actions needed and the resource ARN string needs to operate in conjunction with KMS.

Example:

 

 "Action": [

 

                "kms:decrypt",

                                                                "kms:CreateGrant"

            ],

 

            "Resource": "arn:aws:kms:us-east-1:<ten digit account ID>:key/<key ID>",

 

            "Effect": "Allow"

 

Here are the changes done to allow scanning the buckets and its contents when the role resides in another account in the organization. Cross-account access.

 

Changes to s3 bucket base policy

        {

            "Sid": "ElasticaRoleAccess",

            "Effect": "Allow",

            "Principal": {

                "AWS": "arn:aws:iam::<AWS_Account_Number>:role/elastica-cloudtrail-role"

            },

            "Action": [

                "s3:Get*",

                "s3:List*",

                "s3:PutObject*",

                "s3:PutBucketNotification"

            ],

            "Resource": [

                <bucket_arn>, <bucket_arn/*>

            ]

        },