AWS LPA Setup

Deploying and configuring the AWS LPA feature for InsightCloudSec

Prior to getting started with the Principal Activity capability, users will be required to complete configuration to enable the system to properly import and display the associated data. Note: These settings are displayed as "LPA Configuration" within InsightCloudSec as the Principal Activity capability is the first component of our future LPA feature.

These requirements consist of the following:

  • Creating/Validating the appropriate IAM Roles and Permissions
  • Creating CloudTrails (this step is optional if you have an existing CloudTrail you plan to use with Principal Activity/LPA)
  • Updating Data Settings & Configuration within InsightCloudSec

If you have any questions or issues with Principal Activity reach out through any of the options outlined on the Getting Support page.

IAM Roles and Permissions

Permissions

Principal Activity (LPA) requires multiple services and different roles to work correctly. The permissions from the following AWS services are required:

  • Athena: Main Query Executor
  • Glue: Used for retrieving the schema information
  • S3: CloudTrail source inputs, and Working bucket outputs

Policies

There are two policies that are required:

  • Cloudtrail Source Policy: This policy is applied to the credentials configured when specifying a
    • Cloudtrail Source: This credential reads CloudTrail source data and invokes Athena.
  • Working Bucket Policy: This policy is applied to the credentials configured to interact with the working bucket. It’s used for housekeeping of the working bucket as well as data retrieval.

In the below policies, there are fields you will need to update to reflect your specific environment.

Cloudtrail Source Policy

📘

Additional CloudTrail Policy Considerations

We recommend that you choose a role for the CloudTrail source that shares an account with the CloudTrail S3 Bucket. If the role reading the CloudTrail source is in a separate account from the S3 bucket where the CloudTrail data is located, you may need to adjust object ownership permissions on the data, otherwise aggregations will fail with a “Forbidden” error when attempting to execute Athena queries.

If you choose not to configure this policy based on our recommendations you can address this potential error by:

  • Navigating to the CloudTrail bucket, selecting “Permissions” and changing the Object ownership from “Object Writer” to “Bucket Owner Preferred”. Note: This does NOT change existing permissions and additional configuration will be required to revise permissions/ownership of existing files, refer to the AWS docs on how to do so.

If you have questions or issues with these configuration requirements reach out to us through any of the options identified under Getting Support.

🚧

Update Sample Policy Fields

The fields in this policy that need to be updated with your data are:

  • <region>:<account_id>
  • <cloudtrail_source_bucket>
  • <working_bucket>
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DescribeRegionsForSetup",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeRegions"
            ],
            "Resource": "*"
          },
        {
            "Sid": "AthenaPermissionsForLPA",
            "Effect": "Allow",
            "Action": [
                "athena:StartQueryExecution",
                "athena:GetQueryExecution",
                "athena:GetQueryResults",
                "athena:GetWorkGroup",
                "athena:UpdateWorkGroup",
                "athena:CreateWorkGroup"
            ],
            "Resource": [
                "arn:aws:athena:<region>:<account_id>:workgroup/ics-iam-lpa"
            ]
        },
        {
            "Sid": "AthenaPermissionsForGlue",
            "Effect": "Allow",
            "Action": [
                "glue:GetDatabase",
                "glue:CreateTable",
                "glue:GetPartitions",
                "glue:CreateDatabase",
                "glue:DeleteTable",
                "glue:GetTable"
            ],
            "Resource": [
                "arn:aws:glue:<region>:<account_id>:catalog",
                "arn:aws:glue:<region>:<account_id>:database/ics-iam-lpa",
                "arn:aws:glue:<region>:<account_id>:table/ics-iam-lpa/*"
            ]
        },
        {
            "Sid": "AllowReadsFromSourceBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<cloudtrail_source_bucket>",
                "arn:aws:s3:::<cloudtrail_source_bucket>/*"
            ]
        },
        {
            "Sid": "AllowAthenaToWriteToWorkingBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:PutLifecycleConfiguration",
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::<working_bucket>",
                "arn:aws:s3:::<working_bucket>/*"
            ]
        }
    ]
}

Working Bucket Policy

📘

Additional Bucket Policy Considerations

You must allow the source account the same access as below via bucket policy, in the case that the working S3 bucket and CloudTrail source S3 buckets are not in the same account, which is most likely to be the case.

🚧

Update Sample Policy Fields

The field in this policy that needs to be updated with your data is:

  • <working_bucket>
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DescribeRegionsForSetup",
            "Effect": "Allow",
            "Action": "ec2:DescribeRegions",
            "Resource": "*"
        },
        {
            "Sid": "ManageObjectsForAggregation",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:PutLifecycleConfiguration"
            ],
            "Resource": [
                "arn:aws:s3:::working_bucket",
                "arn:aws:s3:::working_bucket/*"
            ]
        }
    ]
}

Creating a CloudTrail

Before getting started with Principal Activity you will need to have CloudTrail configured to enable Principal Activity (LPA). Refer to the steps below and refer to the AWS documentation on how to create a new CloudTrail

Steps for Creating a New CloudTrail

1. Navigate to the the CloudTrail service in the AWS Console for the account that the trail should be created in.

2. Select “Create Trail”.

3. Complete the trail attributes as follows:

  • Trail name: Your desired CloudTrail name
  • Storage location: Create new s3 bucket
    • Create a new log bucket and folder
  • Log file SSE-KMS encryption: enabled (recommended)
  • Customer managed AWS KMS key: your desired AWS KMS key
    • AWS KMS alias: your desired KMS alias
  • Additional settings
    • Log file validation: not required
    • SNS notification delivery: not required
  • CloudWatch Logs (optional): not required
  • Tags (optional): not required
13961396

Example CloudTrail Setup

4. Click "Next" once you have completed the form with your desired information.

5. Click "Create trail" to complete.

Settings & Configuration

These steps assume you have all of the appropriate configuration details on hand to complete the Principal Activity (LPA) configuration within InsightCloudSec.

1. Select the gear icon at the top right of InsightCloudSec (next to your profile), then navigate to "IAM Settings --> AWS LPA Working Directory".

16001600

LPA Configuration - AWS LPA Working Directory

2. Complete the form/fields as follows:

Working Directory Location

  • S3 URI: Update with the S3 bucket details associated with the bucket where your LPA (Principal Activity) will be stored. We recommend that:
    • You create an S3 bucket that is dedicated to storage of the LPA (Principal Activity) data
    • This dedicated bucket resides in the same location as your InsightCloudSec installation

Working Directory Authentication

  • Authentication Type: Select the credentials associated with the bucket you have configured to store LPA (Principal Activity) data
    • The fields will vary based on the credential type (e.g., Use Cloud Credentials, Assume Role, or STS Role)
    • Note: The selected credentials must have read/write access to the specified S3 bucket URI.

Test Settings
This button allows you to confirm that you have supplied a valid configuration. If you receive an error the issues may be the result of an incorrect S3 URI, misconfigured policies, or invalid IAM credentials.

512512

Success - Valid Test Settings

LPA CloudTrail Sources

1. From the IAM Settings page, click "AWS LPA CloudTrail Sources" under the LPA Configuration options.

2. Click "Create Configuration".

3. Update with the S3 bucket details associated with the CloudTrail you want to use and click "OK".

13811381

New CloudTrail Configuration

📘

Notes on LPA CloudTrail Sources

This section supports a list of sources of CloudTrail data, and there can be more than one. Each source must contain the following:

  • A unique name for identification purposes
  • An S3 URI that points at the CloudTrail source. Note: This directory MUST POINT TO A DIRECTORY OF ACCOUNT IDS. (i.e. The prefix specified, when viewed in the S3 management console, must show a list of directories representing account ids.)
  • Credentials with READ access to the above S3 URI, WRITE access to the working LPA BUCKET, and Athena query read/execute permissions.

Did this page help you?