AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the...

25 AWS getting started guide (IAM user) Version 5.0 May 12, 2020

Transcript of AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the...

Page 1: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler

AWS getting started guide (IAM user)

Version 5.0

May 12, 2020

Page 2: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler



Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Step 1 — Creating AWS IAM user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Static IAM user credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Step 2 — AWS Multi-Tenant integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Create a global CloudTrail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Create an SQS queue to receive S3 notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Update SQS queue permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Configure S3 notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Grant Expel IAM user permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Step 3 — Configure AWS in Expel Workbench . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Register device in Expel Workbench . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

That’s it . Give yourself a pat on the back — you’re done! . . . . . . . . . . . . . . . . . . . . . . . . . 25

Page 3: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler



Organizations leveraging AWS may use multiple regions or accounts . If an organization is using many regions or accounts, it may be difficult to onboard all of them individually with Expel . This guide details how Expel can consume CloudTrail data for all AWS accounts and regions via one global CloudTrail .

There are three steps that must be completed:

1 . Creating AWS IAM user

2 . AWS Single or Multi-Tenant integration

3 . Integration with Expel Workbench™


An AWS account with permissions to create a CloudTrail, S3 Bucket, SQS (Simple Queue Service) Queue, and modify IAM (Identity and Access Management) users .

To create a global CloudTrail across multiple accounts, you must be using AWS Organizations; otherwise, you’ll need to create one multi-region CloudTrail per AWS account .

Step 1 — Creating AWS IAM user

Static IAM user credentialsA . Information that Expel needs (Figure 1)

Field Description

Access Key Access key for an IAM user with the required permissions

Secret Key Secret key for an IAM user with the required permissions

Authn type basic

Figure 1

Page 4: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


B . Log in to the AWS console and navigate to the IAM service . Use the Find Services search box, or expand All Services and look for IAM Service under Security, Identity, & Compliance (Figure 2)

Figure 2

C . Create an IAM Policy for Expel that manages the permissions for the user . Navigate to Policies and click Create Policy (Figure 3)

Figure 3

Page 5: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


D . Add the required permissions to the policy . Select the JSON tab and copy and paste the text below, then press Review Policy (Figure 4 and Figure 5)

{“Version”: “2012-10-17”,“Statement”: [{“Sid”: “VisualEditor0”,“Effect”: “Allow”,“Action”: [“iam:GenerateCredentialReport”,“autoscaling:Describe*”,“ec2:DescribeInstances”,“ec2:DescribeRegions”,“iam:List*”,“logs:Describe*”,“cloudtrail:GetTrailStatus”,“iam:GenerateServiceLastAccessedDetails”,“cloudtrail:GetEventSelectors”,“guardduty:List*”,“cloudwatch:Describe*”,“iam:Get*”,“sns:Get*”,“iam:SimulatePrincipalPolicy”,“iam:SimulateCustomPolicy”,“cloudtrail:ListTags”,“cloudwatch:Get*”,“logs:FilterLogEvents”,“cloudtrail:LookupEvents”,“lambda:ListFunctions”,“logs:List*”,“cloudwatch:List*”,“guardduty:Get*”,“logs:TestMetricFilter”,“logs:Get*”,“cloudtrail:DescribeTrails”,“sns:List*”,“s3:ListAllMyBuckets”,“cloudtrail:ListPublicKeys”,“kms:ListAliases”,“iam:ListAccountAliases”,“s3:GetBucketLocation”,“rds:ListTagsForResource”,“rds:DescribeDBInstances”],“Resource”: “*”}]}

Figure 4

Page 6: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


Figure 5

E . Review and Name (ExpelAPIPolicy, for example) the policy . Enter a Description for the policy and press Create Policy (Figure 6)

Figure 6

Page 7: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


F . Create an IAM User for Expel by navigating to IAM >Users and press Add User (Figure 7)

Figure 7

G . Provide the User name (for example, ExpelAPI) and enable programmatic access . Then press Next: Permissions (Figure 8)

Figure 8

Page 8: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


H . On the next screen, find and attach the Expel IAM Policy created earlier to the IAM User . Then press Next: Tags (Figure 9)

Figure 9

I . On the next screen, click Next:Review to skip the optional Add tags step

J . Review the user details and press Create user (Figure 10)

Figure 10

Page 9: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


K . Once the user has been created, you will be presented with the access key and secret . This will be the only time you can view the Secret Access Key, so make sure to save the Access Key ID and Secret Access Key in a safe place. Expel will need them later to authenticate as this user (Figure 11)

Figure 11

Step 2 — AWS Multi-Tenant integration

While working through the steps below, please record the following information for later use (Figure 12)

Field Description

S3 Bucket ARN The identifier for the S3 bucket where CloudTrail logs are being sent (used during the onboarding process but not needed in Workbench)

SQS Region The AWS region that contains the SQS queue (ex: us-east-1)

SQS Queue ARN The identifier for the SQS queue receiving S3 notifications (used during the onboarding process but not needed in Workbench)

SQS Queue URL The URL for the SQS receiving S3 notifications (used during the onboarding process but not needed in Workbench)

Figure 12

Page 10: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


Create a global CloudTrailA . Log in to the AWS console . If you have multiple AWS accounts and use AWS Organizations, log into

your master account

B . Navigate to the CloudTrail service and create a new trail (Figure 13) . Note: Be sure to create the trail in the correct home region

Figure 13

C . When creating a new trail, ensure the radio dials are updated to “Yes” for Apply trail to all regions and Apply trail to my organization (if you are using AWS Organizations) — See Figure 14

Figure 14

Page 11: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


D . Complete configuration of the trail, optionally enabling data events for S3 buckets/ Lambda functions . Create a new S3 bucket and make note of it for later (Figures 14–18)

Figure 15

Figure 16

Figure 17

Page 12: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


Figure 18

E . Click Create, then you will see a confirmation page (Figure 19)

Figure 19

F . From the Trails listing after creating the trail, make note of the name of the S3 bucket that contains the cloud trail logs (for example, XXXX-global-cloud-trail in Figure 19 above)

G . Navigate to the S3 service in the AWS console

H . On the S3 buckets list, click on the Buckets icon next to the cloud trail logs bucket . The property sheet will popup . Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your clipboard . You can paste this value temporarily into a text document for use later in these instructions — See Figure 20 (NOTE: in our example, the ARN was arn:aws:s3:::XXXX-global-cloud-trail)

Page 13: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


Figure 20

Create an SQS queue to receive S3 notificationsIn order to consume CloudTrail data from an S3 bucket, Expel needs to be notified when new data is added to the bucket . In this step, we will create an SQS queue for those notifications .

Note: The SQS queue must be in the same account & region as the S3 bucket containing the CloudTrail data

Page 14: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


I . Navigate to Simple Queue Service and click Get Started Now (if this is the first SQS queue you have created) or click Create New Queue if you already have other SQS Queues defined (Figure 21)

Figure 21

J . On the next screen, Queue Name is filled in as ExpelMasterCloudTrailNotify . Check the region is the Home Region, and select Standard Queue . Then press Quick-Create Queue (Figure 22)

Figure 22

Page 15: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


K . Once the queue is created, record the SQS Queue ARN and URL for later (Figure 23)

Figure 23

In our example:

SQS URL: https://sqs .us-east-1 .amazonaws .com/XXXXXXXXXXXX/ExpelMasterCloudTrailNotify

SQS ARN: arn:aws:sqs:us-east-1:XXXXXXXXXXXX:ExpelMasterCloudTrailNotify

Page 16: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


Update SQS queue permissionsIn order for S3 to deliver notifications to the SQS queue, we have to update the permissions of the queue .

L . Select the Permissions tab and click “Edit Policy Document (advanced)” (Figure 24)

Figure 24

M . Update the policy JSON below and paste in, replacing the following fields:

■ <YOUR_DEFAULT_POLICY_ID_HERE>: This value will already be in the Policy Template when you click on Edit Policy Document (Advanced)

■ <YOUR_SQS_QUEUE_ARN_HERE>: Paste your SQS queue ARN here

■ <YOUR_S3_BUCKET_ARN_HERE>: Paste your S3 ARN here

SQS Policy Document

{ “Version”: “2012-10-17”, “Id”: “<YOUR_DEFAULT_POLICY_ID_HERE>”, “Statement”: [ { “Effect”: “Allow”, “Principal”: { “AWS”: “*” }, “Action”: “SQS:SendMessage”, “Resource”: “<YOUR_SQS_QUEUE_ARN_HERE>”, “Condition”: { “ArnLike”: { “aws:SourceArn”: “<YOUR_S3_BUCKET_ARN_HERE>” } } } ]}

Page 17: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


See Figure 25 for screenshot with our example values filled in .

Figure 25

N . Click Review Policy (Figure 25), and then Save Changes (Figure 26)

Figure 26

Page 18: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


Configure S3 notificationsO . Navigate to the S3 bucket containing your CloudTrail logs (created in Steps A-H above, under Create a

global CloudTrail) .

P . Navigate to Properties > Advanced Settings (Figure 27)

Figure 27

Q . Click on Events and then click on Add Notification

R . Give the event a Name, for example Notify Queue (see Figure 28 for Steps R-V)

S . Select the All object create events checkbox under Events

T . Select SQS Queue under Send to

U . Select the SQS queue you created in the previous steps, for example ExpelMasterCloudTrailNotify

Page 19: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


Figure 28

V . Click Save

W . The next screen should show the Active notification under Events (Figure 29)

Figure 29

Page 20: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


Grant Expel IAM user permissionsX . Expel needs permissions on the SQS queue and S3 bucket to handle notifications and retrieve data

from the bucket . Navigate to the existing Expel IAM user . The following steps will guide you through adding the following permissions:

SQS Permissions

– sqs:DeleteMessage

– sqs:DeleteMessageBatch

– sqs:ReceiveMessage

S3 Permissions

– s3:GetObject

Y . For a Static IAM User, the steps for adding an inline policy to the Expel user directly are:

■ Go to the IAM services, select Users, and select the user you created for the Static IAM User Credentials, ExpelAPI in this example . Click on Add inline policy (Figure 30)

Figure 30

Page 21: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


■ Click on the JSON tab (Figure 31)

Figure 31

■ Create a new inline policy document by replacing the following fields (Figure 32)

– <YOUR_SQS_QUEUE_ARN_HERE>: Paste your SQS queue ARN here

– <YOUR_S3_BUCKET_ARN_HERE>: Paste your S3 ARN here

Inline Policy Document

{“Version”: “2012-10-17”,“Statement”: [ { “Action”: [ “sqs:DeleteMessage”, “sqs:DeleteMessageBatch”, “sqs:ReceiveMessage” ], “Effect”: “Allow”, “Resource”: “<YOUR_QUEUE_ARN_HERE>” }, { “Action”: [ “s3:GetObject” ], “Effect”: “Allow”, “Resource”: “<YOUR_S3_BUCKET_ARN_HERE>/*” } ]}

Page 22: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


With our example values filled in:

{“Version”: “2012-10-17”,“Statement”: [ { “Action”: [ “sqs:DeleteMessage”, “sqs:DeleteMessageBatch”, “sqs:ReceiveMessage” ], “Effect”: “Allow”, “Resource”: “arn:aws:sqs:us-east-1:XXXXXXXXXXXX: ExpelMasterCloudTrailNotify” }, { “Action”: [ “s3:GetObject” ], “Effect”: “Allow”, “Resource”: “arn:aws:s3:::XXXX-global-cloud-trail/*” } ]


Figure 32

■ Paste the policy in the JSON tab and click Review Policy (Figure 33)

Figure 33

Page 23: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


■ Name the inline policy “ExpelMasterCloudTrailPolicy” and click Create Policy (Figure 34)

Figure 34

Z . That’s it! Now you’re ready to integrate AWS with Expel Workbench . You can do this directly within Workbench following the steps below, or provide the following information to your Expel Engagement Manager or Customer Success Engineer .

■ SQS Region (ex: us-east-1)

■ Access Key

■ Secret Key

■ Authn type = basic

Step 3 — Configure AWS in Expel Workbench

Now that we have gathered all the needed information, we can integrate AWS with Expel .

Register device in Expel WorkbenchA . In a new browser tab, login to https://workbench .expel .io

B . Enter Security Code from Google Authenticator (two-factor authentication)

C . On the console page, navigate to Settings and click Security Devices

Page 24: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


D . At the top right of the page, select Add Security Device (Figure 35)

Figure 35

E . Search for and select Amazon Multi-Tenant (Figure 36)

Figure 36

F . Select an Assembler from the drop down (Choose the Assembler you set up in Step 2 of the Getting Started with Expel guide)

G . Enter Assembler Name and Location (examples in Figure 37 for Steps F and G)

Figure 37

Page 25: AWS getting started guide (IAM user) · Click on the Copy Bucket ARN button . This will copy the bucket’s ARN into your ... Select an Assembler from the drop down (Choose the Assembler


H . Figure 38 lists the fields that need to be completed in Workbench:

Field Description

SQS Region The AWS region in use (ex: us-east-1)

Access Key Access key for an IAM user with the required permissions

Secret Key Secret key for an IAM user with the required permissions

Authn type basic

Figure 38

I . Enter the data from the table above into the fields in Workbench as shown in Figure 39

Figure 39

J . Select Save

K . Backend configuration will take 30 minutes to complete; then refresh the Security Devices page and you should see your device status reporting as Healthy, or if there is an issue, it will provide more details of what the issue may be

L . To check and see if alerts are coming through, navigate to Alerts on the console page . Click the icon in the upper right to switch to grid view, then check the list for AWS alerts

That’s it. Give yourself a pat on the back — you’re done!If you have any issues, concerns, questions or feedback,

please don’t hesitate to contact Expel at devicehealth@expel .io .