AWS LPA Setup
Deploying and configuring the AWS LPA feature for InsightCloudSec
Prior to getting started with the Principal Activity capability, users will be required to complete configuration to enable the system to properly import and display the associated data. Note: These settings are displayed as "LPA Configuration" within InsightCloudSec as the Principal Activity capability is the first component of our future LPA feature.
These requirements consist of the following:
- Creating/Validating the appropriate IAM Roles and Permissions
- Creating CloudTrails (this step is optional if you have an existing CloudTrail you plan to use with Principal Activity/LPA)
- Updating Data Settings & Configuration within InsightCloudSec
If you have any questions or issues with Principal Activity reach out through any of the options outlined on the Getting Support page.
IAM Roles and Permissions
Permissions
Principal Activity (LPA) requires multiple services and different roles to work correctly. The permissions from the following AWS services are required:
- Athena: Main Query Executor
- Glue: Used for retrieving the schema information
- S3: CloudTrail source inputs, and Working bucket outputs
Policies
There are two policies that are required:
- Cloudtrail Source Policy: This policy is applied to the credentials configured when specifying a
- Cloudtrail Source: This credential reads CloudTrail source data and invokes Athena.
- Working Bucket Policy: This policy is applied to the credentials configured to interact with the working bucket. It’s used for housekeeping of the working bucket as well as data retrieval.
In the below policies, there are fields you will need to update to reflect your specific environment.
Cloudtrail Source Policy
Additional CloudTrail Policy Considerations
We recommend that you choose a role for the CloudTrail source that shares an account with the CloudTrail S3 Bucket. If the role reading the CloudTrail source is in a separate account from the S3 bucket where the CloudTrail data is located, you may need to adjust object ownership permissions on the data, otherwise aggregations will fail with a “Forbidden” error when attempting to execute Athena queries.
If you choose not to configure this policy based on our recommendations you can address this potential error by:
- Navigating to the CloudTrail bucket, selecting “Permissions” and changing the Object ownership from “Object Writer” to “Bucket Owner Preferred”. Note: This does NOT change existing permissions and additional configuration will be required to revise permissions/ownership of existing files, refer to the AWS docs on how to do so.
If you have questions or issues with these configuration requirements reach out to us through any of the options identified under Getting Support.
Update Sample Policy Fields
The fields in this policy that need to be updated with your data are:
<region>:<account_id>
<cloudtrail_source_bucket>
<working_bucket>
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DescribeRegionsForSetup",
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions"
],
"Resource": "*"
},
{
"Sid": "AthenaPermissionsForLPA",
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetWorkGroup",
"athena:UpdateWorkGroup",
"athena:CreateWorkGroup"
],
"Resource": [
"arn:aws:athena:<region>:<account_id>:workgroup/ics-iam-lpa"
]
},
{
"Sid": "AthenaPermissionsForGlue",
"Effect": "Allow",
"Action": [
"glue:GetDatabase",
"glue:CreateTable",
"glue:GetPartitions",
"glue:CreateDatabase",
"glue:DeleteTable",
"glue:GetTable"
],
"Resource": [
"arn:aws:glue:<region>:<account_id>:catalog",
"arn:aws:glue:<region>:<account_id>:database/ics-iam-lpa",
"arn:aws:glue:<region>:<account_id>:table/ics-iam-lpa/*"
]
},
{
"Sid": "AllowReadsFromSourceBucket",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<cloudtrail_source_bucket>",
"arn:aws:s3:::<cloudtrail_source_bucket>/*"
]
},
{
"Sid": "AllowAthenaToWriteToWorkingBucket",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutLifecycleConfiguration",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::<working_bucket>",
"arn:aws:s3:::<working_bucket>/*"
]
}
]
}
Working Bucket Policy
Additional Bucket Policy Considerations
You must allow the source account the same access as below via bucket policy, in the case that the working S3 bucket and CloudTrail source S3 buckets are not in the same account, which is most likely to be the case.
Update Sample Policy Fields
The field in this policy that needs to be updated with your data is:
<working_bucket>
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DescribeRegionsForSetup",
"Effect": "Allow",
"Action": "ec2:DescribeRegions",
"Resource": "*"
},
{
"Sid": "ManageObjectsForAggregation",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutLifecycleConfiguration"
],
"Resource": [
"arn:aws:s3:::working_bucket",
"arn:aws:s3:::working_bucket/*"
]
}
]
}
Creating a CloudTrail
Before getting started with Principal Activity you will need to have CloudTrail configured to enable Principal Activity (LPA). Refer to the steps below and refer to the AWS documentation on how to create a new CloudTrail
- If you have CloudTrail configured, skip to the setup within InsightCloudSec and use your existing CloudTrail setup information.
Steps for Creating a New CloudTrail
1. Navigate to the the CloudTrail service in the AWS Console for the account that the trail should be created in.
2. Select “Create Trail”.
3. Complete the trail attributes as follows:
- Trail name: Your desired CloudTrail name
- Storage location: Create new s3 bucket
- Create a new log bucket and folder
- Log file SSE-KMS encryption: enabled (recommended)
- Customer managed AWS KMS key: your desired AWS KMS key
- AWS KMS alias: your desired KMS alias
- Additional settings
- Log file validation: not required
- SNS notification delivery: not required
- CloudWatch Logs (optional): not required
- Tags (optional): not required

Example CloudTrail Setup
4. Click "Next" once you have completed the form with your desired information.
5. Click "Create trail" to complete.
Settings & Configuration
These steps assume you have all of the appropriate configuration details on hand to complete the Principal Activity (LPA) configuration within InsightCloudSec.
1. Select the gear icon at the top right of InsightCloudSec (next to your profile), then navigate to "IAM Settings --> AWS LPA Working Directory".

LPA Configuration - AWS LPA Working Directory
2. Complete the form/fields as follows:
Working Directory Location
- S3 URI: Update with the S3 bucket details associated with the bucket where your LPA (Principal Activity) will be stored. We recommend that:
- You create an S3 bucket that is dedicated to storage of the LPA (Principal Activity) data
- This dedicated bucket resides in the same location as your InsightCloudSec installation
Working Directory Authentication
- Authentication Type: Select the credentials associated with the bucket you have configured to store LPA (Principal Activity) data
- The fields will vary based on the credential type (e.g., Use Cloud Credentials, Assume Role, or STS Role)
- Note: The selected credentials must have read/write access to the specified S3 bucket URI.
Test Settings
This button allows you to confirm that you have supplied a valid configuration. If you receive an error the issues may be the result of an incorrect S3 URI, misconfigured policies, or invalid IAM credentials.

Success - Valid Test Settings
LPA CloudTrail Sources
1. From the IAM Settings page, click "AWS LPA CloudTrail Sources" under the LPA Configuration options.
2. Click "Create Configuration".
3. Update with the S3 bucket details associated with the CloudTrail you want to use and click "OK".

New CloudTrail Configuration
Notes on LPA CloudTrail Sources
This section supports a list of sources of CloudTrail data, and there can be more than one. Each source must contain the following:
- A unique name for identification purposes
- An S3 URI that points at the CloudTrail source. Note: This directory MUST POINT TO A DIRECTORY OF ACCOUNT IDS. (i.e. The prefix specified, when viewed in the S3 management console, must show a list of directories representing account ids.)
- Credentials with READ access to the above S3 URI, WRITE access to the working LPA BUCKET, and Athena query read/execute permissions.
Updated 5 months ago